Malicious PDF — malware analysis report

Static analysis result for SHA-256 0d32db29f6db8f9f…

MALICIOUS

PDF

242.2 KB Created: 2022-02-26 19:15:13 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-06-14
MD5: 0ed3f62259d797477b45ad9ae069c9c8 SHA-1: 017a9e3f7650a3c406f4396ec3cd15ee6359e700 SHA-256: 0d32db29f6db8f9fbad5b748bf9904774011bf919a7ba21002a44d42a649994a
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript and multiple external URIs, including one pointing to a compromised WordPress upload directory. The heuristic 'PDF_SEO_UTM_REDIRECTOR_LINK' indicates an image lure for free-download phishing, suggesting the document is designed to trick users into downloading further malicious content. The embedded JavaScript likely facilitates the download or execution of a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7620

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://norin.co.za/XSRYdR1H?utm_term=skype+mac+os+x+10.+6 PDF link annotation
    • https://doctmcooper.com/userfiles/files/2522585334.pdfIn PDF document text
    • https://giyimkent.formenemlak.com/upload/ckfinder/files/81989606484.pdfIn PDF document text
    • http://thetuckerfamilyreunion.com/clients/67950/File/76895277216.pdfIn PDF document text
    • http://dolgoprudnyj.inhome360.ru/admin/ckfinder/userfiles/files/zutipase.pdfIn PDF document text
    • http://birnagarcollege.in/userfiles/file/netob.pdfIn PDF document text
    • http://3dtechgroup.com/uploads/image/files/43525591489.pdfIn PDF document text
    • https://mklaassen.nl/images/file/roxup.pdfIn PDF document text
    • http://xn--c1aejbdnke.xn--p1ai/admin/ckfinder/userfiles/files/34839910269.pdfIn PDF document text
    • https://www.la-melodie-des-saveurs.fr/ckfinder/userfiles/files/luzodesofa.pdfIn PDF document text
    • https://zenithoverseas.com/assets/userfiles/files/vutilemuposise.pdfIn PDF document text
    • https://hetodon.com/fckeditorfiles/file/92776765661.pdfIn PDF document text
    • http://dailythang.com/userfiles/files/jefakore.pdfIn PDF document text
    • http://101balkon.ru/upload/files/78830164685.pdfIn PDF document text
    • https://www.naturecare.com.au/kcfinder/upload/files/fajarerok.pdfIn PDF document text
    • http://www.dadosefatos.net.br/wp-content/plugins/formcraft/file-upload/server/content/files/161734a0052eb5---72410160192.pdfIn PDF document text
    • https://harpethvalleypto.org/wp-content/plugins/super-forms/uploads/php/files/478877ebabbef4ad310b665288c8c74d/metitanetotejifemezof.pdfIn PDF document text
    • http://anapro.com/ckfinder/userfiles/files/53229040289.pdfIn PDF document text
    • https://naseeha.org/wp-content/plugins/super-forms/uploads/php/files/4d8537af2e32f803a0d5a5d0fcf70769/82899785958.pdfIn PDF document text
    • http://www.2m-france.com/img/uploaded/file/4984802771.pdfIn PDF document text
    • http://finara-v.com/file_media/file_image/file/98776865992.pdfIn PDF document text
    • https://grandioso.asia/editor_upload_image/file/11703699828.pdfIn PDF document text
    • http://modnyi-buket.ru/uploads/files/widalokowox.pdfIn PDF document text
    • https://coastalholidayproperty.com/ckfinder/userfiles/files/7110171618.pdfIn PDF document text
    • https://egyiksem.hu/uploads/file/dodudowevuwuzowesaruram.pdfIn PDF document text
    • http://rajskiewakacje.pl/userfiles/file/wopitalago.pdfIn PDF document text
    • https://bcbc3399.com/upload/files/1602783363.pdfIn PDF document text
    • https://qigoodteam.com/uploads/files/202201290044416141.pdfIn PDF document text
    • https://mccartha-cobb.com/userfiles/files/99304794996.pdfIn PDF document text
    • https://berker-rozetki.su/kcfinder/upload/files/sewidukuvatadimutasaku.pdfIn PDF document text
    • https://mtydizayn.com/userfiles/file/19874209889.pdfIn PDF document text
    • http://avandcie-automation.com/ckfinder/userfiles/files/gawopum.pdfIn PDF document text
    • https://culturasiapamplona.com/guiarte_userfiles/files/mutajegamojedajupokes.pdfIn PDF document text
    • http://www.shipsupply.co.mz/wp-content/plugins/formcraft/file-upload/server/content/files/161a9281c5ab9d---zabexasolejudavog.pdfIn PDF document text
    • http://pusheng168.com/uploadfiles/20210804024152.pdfIn PDF document text
    • http://altiro.nl/home/tjerk/file/16329085773.pdfIn PDF document text
    • http://viaterrestre.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/161623b2a8887a---marupokuziweda.pdfIn PDF document text
    • http://grappin-annat-como.com/userfiles/grappin-annat-como.com/file/5578953492.pdfIn PDF document text
    • https://ceb.lk/assets/js/kcfinder/upload/files/15971963238.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00035329.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x35329 16560 bytes
SHA-256: 924ad5cb737cfd9a34472b2046831991df4d3950e5f0d7b552a18309318c2ee9
font_01_sfnt_off00036a49.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x36A49 10884 bytes
SHA-256: ccc7d12977bc79fcf178c318804fc321fe6cd091ba7008da64ad8e4dc2128704
font_02_sfnt_off00038390.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x38390 20724 bytes
SHA-256: 825d2126768e631b6be907b9ecccf977cd5858b78026b6e7343da3dd9c9acc5b