Malicious PDF — malware analysis report

Static analysis result for SHA-256 0d3011348d0126b2…

MALICIOUS

PDF

287.2 KB Created: 2022-03-15 01:07:50 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-06-14
MD5: 2babedb455647abbce10b847e07420ce SHA-1: 1a4125d869a8bde3ea278ea96885c3b142e96fc0 SHA-256: 0d3011348d0126b27bacc8078999da71f93b6dfcc199304c7d5a610ed3ccef5e
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file contains embedded JavaScript and multiple external URIs, including a link farm pointing to a compromised WordPress upload. The primary URL, https://mifuj.co.za/XSRYdR1H, is identified as an SEO redirector likely used for phishing. The embedded JavaScript and the nature of the links suggest an attempt to lure the user to a malicious site, potentially for credential harvesting or further malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7171

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mifuj.co.za/XSRYdR1H?utm_term=cintas+uniform+services+dallas+tx PDF link annotation
    • https://milanibeaudoin.com/admin/ckeditor/kcfinder/upload/files/wopagovagogot.pdfIn PDF document text
    • http://csc-028.com/userfiles/file/20220309234832_ritbjk.pdfIn PDF document text
    • http://evo-models.com/uploads/userfiles/files/miverumutifuv.pdfIn PDF document text
    • http://kmjmt.com/news/upload/file/220203020842617783zg5kjc.pdfIn PDF document text
    • http://devison-matras.ru/upload/file/lolutiresazozow.pdfIn PDF document text
    • http://khotelmarket.com/FileData/ckfinder/files/20220202_750151A9191A3F13.pdfIn PDF document text
    • http://www.praasia.com/file/files/47295149200.pdfIn PDF document text
    • http://ersenergy.com/UserFiles/file/14238682237.pdfIn PDF document text
    • http://www.iece.in/userfiles/file/fozifidelaxumobagi.pdfIn PDF document text
    • https://livbiopharma.com/userfiles/file/lezeruzogojatozax.pdfIn PDF document text
    • http://sgiworld.com/cache/fck_files/file/42641811624.pdfIn PDF document text
    • http://xsjsbzrw.com/uploads/files/10435621972.pdfIn PDF document text
    • http://undergroundspitters.nl/kcfinder/upload/files/48645501510.pdfIn PDF document text
    • https://www.entornopublicitario.com/wp-content/plugins/super-forms/uploads/php/files/0c288247c004ed2a6834cb7985076278/nagevediludidopojojuxo.pdfIn PDF document text
    • https://decoveinvestment.com/userfiles/file/22016010897.pdfIn PDF document text
    • http://hellnocancershow.com/wp-content/plugins/formcraft/file-upload/server/content/files/16201ab09576cc---wagejajevu.pdfIn PDF document text
    • http://cobansut.com/userfiles/file/jegadajutes.pdfIn PDF document text
    • http://ominocoibaffi.it/userfiles/files/jobuwubadoxodus.pdfIn PDF document text
    • http://www.mgamk.ru/ckeditor/kcfinder/upload/files/kugopajonal.pdfIn PDF document text
    • http://giverny-bkk.com/upload/files/53565623725.pdfIn PDF document text
    • https://citronel.com/userfiles/files/zubeninojudak.pdfIn PDF document text
    • https://silatur.com/js/ckfinder/userfiles/files/36741704961.pdfIn PDF document text
    • http://basumati.com/app/webroot/ckfinder/userfiles/files/35348203673.pdfIn PDF document text
    • http://haenuri.net/ckupload/files/paxamilovim.pdfIn PDF document text
    • https://entabe.com/upload/20220225/files/46031524984.pdfIn PDF document text
    • http://hoaisonland.vn/upload/files/pobemasuwasules.pdfIn PDF document text
    • http://www.platformliften.info/wp-content/plugins/formcraft/file-upload/server/content/files/1620aba3d2fa14---durivudixukub.pdfIn PDF document text
    • https://styliststudios.com/imagesTE/file/75578134344.pdfIn PDF document text
    • http://snft.ro/media/file/temotuxomuvuvax.pdfIn PDF document text
    • http://keralabiblesociety.com/fck_uploads/file/10073993991.pdfIn PDF document text
    • https://konferencia2012.medius.sk/userfiles/file/58996504434.pdfIn PDF document text
    • https://karmak-makina.com/upload/files/79900626635.pdfIn PDF document text
    • http://cablexconsulting.com/Upload/file/bunadanuxika.pdfIn PDF document text
    • http://kozelsk-adm.ru/files/uploads/files/pevaturutizenediwaw.pdfIn PDF document text
    • https://kit-veron.my/ckfinder/userfiles/files/80487653272.pdfIn PDF document text
    • https://dev-intranet.publiticket.fr/intranet/upload_fckeditor/file/jowabunizagunubipalifide.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000410ab.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x410AB 16560 bytes
SHA-256: 924ad5cb737cfd9a34472b2046831991df4d3950e5f0d7b552a18309318c2ee9
font_01_sfnt_off000427c6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x427C6 17072 bytes
SHA-256: ed29e7554a362cad7eb6fb33a4908ed829ab4a99ef3b303ac1defef7a8888ac9
font_02_sfnt_off000453e7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x453E7 10936 bytes
SHA-256: 364fbb964b6818cf167cf2b56c03e8e92ff926f59836441cfb04e61b7f5ba756