Malicious PDF — malware analysis report

Static analysis result for SHA-256 0808b60dbe02ddd3…

MALICIOUS

PDF

324.3 KB Created: 2022-01-24 06:54:49 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-05-21
MD5: 64260e7453d06773b7e1219f3f020d55 SHA-1: adecea7d4407e2f500a2915a6a1b6de92f693ad9 SHA-256: 0808b60dbe02ddd393964796fa449214dd57c78695918f70ac8f09abfbcfd062
224 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.7501

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://huntic.ru/uplcv?utm_term=informe+onu+cambio+clim%C3%A1tico+2019 In PDF document text
    • http://poptheme.cn/uploadfile/files/20211103_113516.pdfIn PDF document text
    • https://too.kg/wp-content/plugins/super-forms/uploads/php/files/6dffdd6a4d6dcce9efb5270b003fc0e1/narofomawinuvolirobun.pdfIn PDF document text
    • http://norilsk.torbay.ru/images/uploads/file/lakatexamoxegomatudabe.pdfIn PDF document text
    • https://accuratesearch.com/userfiles/file/49428999122.pdfIn PDF document text
    • http://acsalma.hu/userfiles/files/88779739646.pdfIn PDF document text
    • https://renhedc.com/uploads/files/202112071759575578.pdfIn PDF document text
    • http://hcbarrett.com/user_area/file/wofuk.pdfIn PDF document text
    • http://aliancegroup.su/wp-content/plugins/formcraft/file-upload/server/content/files/161a782dc99ea9---xegosepexowavefezum.pdfIn PDF document text
    • https://zemtechnika.lt/public/site/0files/46321959084.pdfIn PDF document text
    • http://akinmedikal.com/uploads/file/suxafurivunezudorujes.pdfIn PDF document text
    • http://ackerviewguesthouse.com/userfiles/file/sefitinefupinakete.pdfIn PDF document text
    • https://equimat-cheval.fr/file/11926335756.pdfIn PDF document text
    • http://jmk.kr/ckfinder/userfiles/files/patefusawotoposiped.pdfIn PDF document text
    • http://www.fliesen-brill.de/wp-content/plugins/formcraft/file-upload/server/content/files/16199bb0dbf4bd---fapagepexot.pdfIn PDF document text
    • http://hexindechem.com/upload/files/16200532510.pdfIn PDF document text
    • https://completecollegestrategies.com/wp-content/plugins/super-forms/uploads/php/files/880f8546d2d4678eff2c983cbae146af/gosowunoburepulezovaxiwo.pdfIn PDF document text
    • https://sme.bankai.lv/ckfinder/userfiles/files/zigajadoruwugubogiwomuso.pdfIn PDF document text
    • http://rbc-bezorgdiensten.nl/upload/mudamu.pdfIn PDF document text
    • http://catwalkexotique.com/userfiles/mitebobani.pdfIn PDF document text
    • https://299-45.com/CKEdit/upload/files/nunokiragezo.pdfIn PDF document text
    • http://webinaris.training/ckfinder/userfiles/publics/files/sewewu.pdfIn PDF document text
    • http://salda.lt/saldus/kcfinder/upload/files/65308892352.pdfIn PDF document text
    • http://teknis.it/userfiles/files/19342495018.pdfIn PDF document text
    • http://wohingltd.com/userfiles/mukozipenovoxukireweta.pdfIn PDF document text
    • https://profm.hu/files/file/99126381971.pdfIn PDF document text
    • https://volnynaklad.cz/data/file/zebavejelosogad.pdfIn PDF document text
    • http://sieckultury.pl/wp-content/plugins/super-forms/uploads/php/files/527187655fdd2ab4035072c5fe6dccec/riwidefabagukejenorijam.pdfIn PDF document text
    • https://arvikabc.com/images/uploadedimages/file/xojowob.pdfIn PDF document text
    • https://xpress2.eu/ckfinder/userfiles/files/23714854385.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn extracted file (font_00_sfnt_off0004a37e.bin)
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn extracted file (font_00_sfnt_off0004a37e.bin)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0004a37e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4A37E 17416 bytes
SHA-256: 435ba031e7ce454482e1c2d98964fbc1f8b3f563cc492ff8109ec5b65bfeedcb
font_01_sfnt_off0004cfb3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4CFB3 16416 bytes
SHA-256: cfa2c3fbce80cc5607e01af033b793d17c57c214fb1d96e845eedea48cccd336
font_02_sfnt_off0004e657.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4E657 11160 bytes
SHA-256: 271db6d0669d6cf0d8f1e9a357b0afbe0a9bfcfe91818aa3070fd21f7bec8830