Malicious PDF — malware analysis report

Static analysis result for SHA-256 0d399c333a4f6239…

MALICIOUS

PDF

73.4 KB Created: 2022-04-09 09:53:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-06-14
MD5: a7bfb7973ef5c336ea3e8ac4af6943d8 SHA-1: 6861f265fe7e6e4bc3e9e182e887b6c55e07cc4a SHA-256: 0d399c333a4f623940135b2ef5ecd42115e55d5550fff8af21cd1af25be60fa3
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9971

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://wirut.co.za/YmrXLWy8?keyword=can%20you%20wear%20ergobaby%20on%20back PDF link annotation
    • https://nuxutesinof.weebly.com/uploads/1/3/1/4/131437012/7171766.pdfIn PDF document text
    • https://fonagidosoribir.weebly.com/uploads/1/3/7/5/137515196/fibof.pdfIn PDF document text
    • http://aptekainternetowa.net/_mdm_apteki/file/30275196980.pdfIn PDF document text
    • http://faithhh.net/js/kcfinder/upload/files/69924034522.pdfIn PDF document text
    • https://bancaycanh.vn/upload/files/febufozosalotilunokutebo.pdfIn PDF document text
    • https://xuxerativizujaf.weebly.com/uploads/1/3/1/0/131070719/bifeg.pdfIn PDF document text
    • https://pamemigewoguvo.weebly.com/uploads/1/3/4/4/134438925/d18e6da9be.pdfIn PDF document text
    • https://kawavaturitavo.weebly.com/uploads/1/3/5/3/135321378/nuvem-vamivu-nituzade-dijoj.pdfIn PDF document text
    • https://sawifumoz.weebly.com/uploads/1/3/1/3/131380604/649023.pdfIn PDF document text
    • https://rugazodexozapef.weebly.com/uploads/1/3/4/4/134480570/6662875.pdfIn PDF document text
    • https://dipotuvikaru.weebly.com/uploads/1/4/1/2/141258614/2953394.pdfIn PDF document text
    • https://inwestorfinanse.pl/userfiles/file/1144820762.pdfIn PDF document text
    • https://romesezex.weebly.com/uploads/1/3/4/6/134605020/perido_pinepoxugefu.pdfIn PDF document text
    • https://wovugozota.weebly.com/uploads/1/3/2/6/132695813/modatuwajugotib.pdfIn PDF document text
    • https://dupujemewo.weebly.com/uploads/1/3/4/0/134040979/nefegalewe_wovigidaxur.pdfIn PDF document text
    • https://hamayeshniroo.com/shop/file/14488654764.pdfIn PDF document text
    • https://atahca.pt/atahca_gestor/kcfinder/upload/files/15295140080.pdfIn PDF document text
    • https://ceilford.org/wp-content/plugins/super-forms/uploads/php/files/a492721048d5a292c01581fcbeb17e79/94311709168.pdfIn PDF document text
    • https://hotelmitrutarija.com/uploaded/files/90020448857.pdfIn PDF document text
    • https://donetemewebise.weebly.com/uploads/1/3/7/5/137518568/427e44490d44.pdfIn PDF document text
    • https://nakipoglugroup.com/upload/ckfinder/files/87196187326.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bdc2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xBDC2 16376 bytes
SHA-256: c3f74fbf427457e7555b15c1845a3d1d7947e82a261831c9ea0af6b3dc0e3e11
font_01_sfnt_off0000e852.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE852 10564 bytes
SHA-256: 2e4a4af2c2e69980410357bc4d92900c29c0582961f97b5a9741d8cf88c3e654
font_02_sfnt_off000100a9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x100A9 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1

Open this report in the interactive analyzer, or submit your own file for analysis.