Malicious PDF — malware analysis report

Static analysis result for SHA-256 0d3ee68a5c1cafb2…

MALICIOUS

PDF

588.0 KB Created: 2022-03-03 20:50:08 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-06-14
MD5: 593af1cd1a445d1da2800d07ffb37cf0 SHA-1: c9465fb1b23f9481ec7f62f9b1ac614a3e3a9a75 SHA-256: 0d3ee68a5c1cafb2e5aded51fa1bf66b8d854f7bfd58163f9d7b135aebe057e7
164 Risk Score

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3955

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Malformed active-content stream length medium PDF_MALFORMED_EXPLOIT_STREAM_LENGTH
    A PDF stream that carries active/exploit-looking content has a declared /Length that does not match the recovered stream body. Malformed stream boundaries and length mismatches are common parser-evasion/supporting evidence around Reader exploit streams.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yubit.co.za/XSRYdR1H?utm_term=hunger+games+espanol+pdf PDF link annotation
    • http://mp-journal.com/media/file/68519420572.pdfIn PDF document text
    • https://safewatersolutions.in/ckfinder/userfiles/files/76279456013.pdfIn PDF document text
    • https://rubenoferro.com/userfiles/file/wawifup.pdfIn PDF document text
    • http://www.uvhk.com/wp-content/plugins/formcraft/file-upload/server/content/files/1621ad0c59117e---vasosemexatajoxuxe.pdfIn PDF document text
    • https://abcdev.opusviewdev.com/app/webroot/js/image/files/11899911544.pdfIn PDF document text
    • https://www.lamuccacompany.com/wp-content/plugins/super-forms/uploads/php/files/604655d109ebbc8214953713d8f36d6c/61665681737.pdfIn PDF document text
    • https://jancsoalapitvany.hu/ckfinder/userfiles/files/zovaxebebatov.pdfIn PDF document text
    • https://www.misuhuko.com/assets/kcfinder/upload/files/towufomemeri.pdfIn PDF document text
    • http://produkty.promiennik.pl/resources/files/dimisijuruvi.pdfIn PDF document text
    • https://wroclawmodelshow.pl/ckfinder/userfiles/files/62820775691.pdfIn PDF document text
    • http://mottaing.eu/userfiles/files/92159023284.pdfIn PDF document text
    • http://www.alex-vasilkov.ru/images/wisdom/file/bowapudulebetege.pdfIn PDF document text
    • http://www.elsecretodelolivo.com/wp-content/plugins/formcraft/file-upload/server/content/files/16210b3cda8ef2---43146551681.pdfIn PDF document text
    • https://fleuriste79.fr/ckfinder/userfiles/files/risudazewagoxugemuromebek.pdfIn PDF document text
    • http://snc.easy-event.net/img/uploads/files/migamozujit.pdfIn PDF document text
    • http://tsyrulnikov.ru/upload/file/jobewarudedidezedukix.pdfIn PDF document text
    • https://ost-fogging.com/upload/files/sotolalune.pdfIn PDF document text
    • http://dezmaster.com/userfiles/file/movopevowaliledezel.pdfIn PDF document text
    • http://www.pibmg.com.br/ckfinder/userfiles/files/files/moxegov.pdfIn PDF document text
    • http://buddhavihara.net/userfiles/file/35524098052.pdfIn PDF document text
    • https://tuabogadoangel.com/wp-content/plugins/super-forms/uploads/php/files/bb506539e2a3a5f7c44b79c314de82ec/xamadasawofumow.pdfIn PDF document text
    • https://dverimilana.ru/media-temp/img/uploads/files/3880385648.pdfIn PDF document text
    • http://klavierunterricht-bergedorf.de/files/files/65316581318.pdfIn PDF document text
    • https://mytalk7.com/_UploadFile/Images/file/97038429732.pdfIn PDF document text
    • http://xn--80aaa6aachkjln0qra.xn--p1ai/ckfinder/userfiles/files/fopigan.pdfIn PDF document text
    • http://thefutureofgolf.eu/wp-content/plugins/formcraft/file-upload/server/content/files/16216d9c1c0fe6---puzufinopepoju.pdfIn PDF document text
    • http://domainecomps.com/documents/files/vobaseweduvapufezabarirat.pdfIn PDF document text
    • http://customartdirect.com/kcfinder/upload/files/41141555483.pdfIn PDF document text
    • http://puebloexec.com/userfiles/file/47318305583.pdfIn PDF document text
    • https://yauspeshen.com/ckfinder/userfiles/files/xazuwikof.pdfIn PDF document text
    • http://lube-stc.com/ckfinder/userfiles/files/wuxevuwo.pdfIn PDF document text
    • https://poetnazrul.com/kcfinder/upload/files/7091477907.pdfIn PDF document text
    • https://aymexco.eu/ckfinder/userfiles/files/82448987947.pdfIn PDF document text
    • https://zahrek.com/userfiles/file/nuzalupafotig.pdfIn PDF document text
    • http://sangjeom.com/userfiles/file///46978457401.pdfIn PDF document text
    • https://nichecnk.leaddeehub.com/userfiles/files/80194755085.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0008bf86.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8BF86 16560 bytes
SHA-256: 924ad5cb737cfd9a34472b2046831991df4d3950e5f0d7b552a18309318c2ee9
font_01_sfnt_off0008d6a1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8D6A1 19016 bytes
SHA-256: a348c93a894499d638edcaf1a7a5124cd5f4aff8f8be12edddffb0320616c8ad
font_02_sfnt_off000907dc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x907DC 10744 bytes
SHA-256: b6f6df1135223fa6d49279175a0dfc03afda7bef9380aea11c80c5f59365dcae

Open this report in the interactive analyzer, or submit your own file for analysis.