Malicious PDF — malware analysis report

Static analysis result for SHA-256 1dc79ea97dca5501…

MALICIOUS

PDF

411.8 KB Created: 2022-03-16 07:28:10 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-05-30
MD5: f083d7a774f7cbbe5f214dfa269e376c SHA-1: 4535599e816a5ca0201c8bdae35b45394152aac7 SHA-256: 1dc79ea97dca550196e2053e0b8594ef6385fabfddce225fd29361c691125809
144 Risk Score

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4850

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://colod.co.za/XSRYdR1H?utm_term=codex+alimentarius+austriacus+pdf PDF link annotation
    • https://mannlicher.hu/admin/kcfinder/upload/files/lobapapeke.pdfIn PDF document text
    • http://admin.accf-asean-china.com/assets/grocery_crud/texteditor/kcfinder/upload/images/files/57818720020.pdfIn PDF document text
    • http://tuv-zimer.co.il/assets/userfiles/files/povibijizavimimoritu.pdfIn PDF document text
    • http://divorce-difficile.fr/userfiles/file/67852008017.pdfIn PDF document text
    • https://onhimalayas.com/ckfinder/userfiles/files/69590491768.pdfIn PDF document text
    • http://makrostal.pl/user_images/file/87762223741.pdfIn PDF document text
    • http://goplayer.net/fil/ckFiles/files/30155584190.pdfIn PDF document text
    • http://ingenierie-mont-blanc.fr/kcfinder/upload/files/gugofinovepejireperukanar.pdfIn PDF document text
    • https://jamuiboe.com/webroot/upload_media/33019415182.pdfIn PDF document text
    • http://fulico.com/v15/Upload/file/2022281954223870.pdfIn PDF document text
    • http://www.cheapmotorcycleinsurancepa.com/wp-content/plugins/super-forms/uploads/php/files/aee05a79db9eae5bb3e2231b23f419d5/siderinosekiwiwedosupek.pdfIn PDF document text
    • http://www.alwaysflorida.com/wp-content/plugins/formcraft/file-upload/server/content/files/1622879949db77---87019318771.pdfIn PDF document text
    • http://polaryachtmanufactory.com/res/wysiwyg/file/87740622423.pdfIn PDF document text
    • http://gogift-it.com/userfiles/files/65069995810.pdfIn PDF document text
    • https://1ar.sa/userfiles/file/3272332024.pdfIn PDF document text
    • http://skolka.pencin.cz/soubory/file/sujitamasizib.pdfIn PDF document text
    • http://rpsbchamber.org/editorData/file/9181272429.pdfIn PDF document text
    • http://peterpan1996.it/userfiles/files/8354281683.pdfIn PDF document text
    • http://computerdoki.hu/user/file/bumarinajorepuligivotomom.pdfIn PDF document text
    • http://dc-a436c1f93717.abmextranet.com/fckimages/file/30066092668.pdfIn PDF document text
    • http://king-ber.com/UploadFiles/file/20220308052031287.pdfIn PDF document text
    • https://kayakbranson.com/wp-content/plugins/formcraft/file-upload/server/content/files/1621f6b8561b26---26379059542.pdfIn PDF document text
    • http://agarimo.com/archivos/archivos/wobobozisetuva.pdfIn PDF document text
    • https://robvandamfoto.nl/UserFiles/files/zanevobovusojurexexufi.pdfIn PDF document text
    • https://codefon.hu/js/ckfinder/userfiles/files/21482418301.pdfIn PDF document text
    • http://nacyc.jp/Upload/file/vulogezotowakutizuxiji.pdfIn PDF document text
    • http://dh-cell.net/ckfinder/userfiles/files/90046228612.pdfIn PDF document text
    • http://gazetavk.ru/img/file/20501200286.pdfIn PDF document text
    • https://www.pharmaright.ca/wp-content/plugins/super-forms/uploads/php/files/gmvrt512mj1lefenctgtkml7al/xorovegobizipit.pdfIn PDF document text
    • http://bandotrading.com/uploads/file/lobebiloburevofix.pdfIn PDF document text
    • https://autohausnschmidt.de/userfiles/file/74811953457.pdfIn PDF document text
    • https://drrajanmahtani.com/userfiles/files/taverinovar.pdfIn PDF document text
    • https://malmospelmanslag.se/userfiles/file/80668091581.pdfIn PDF document text
    • http://lichnyiybrand.ru/wp-content/plugins/formcraft/file-upload/server/content/files/16218388a5e992---xalituwigusevob.pdfIn PDF document text
    • http://asijskepotraviny.cz/files/file/32849692358.pdfIn PDF document text
    • http://busangh.com/attfile/fckimg/file///202203042556_129301464.pdfIn PDF document text
    • https://lisalisa.ru/upload/files/73923233394.pdfIn PDF document text
    • http://senkardeslerkereste.com/kcfinder/upload/files/dejagurifugilobafinuvosi.pdfIn PDF document text
    • http://tmacfashion.com/ckfinder/userfiles/files/mufodekazebuwi.pdfIn PDF document text
    • https://www.mozartcantat.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1622b45c0c45c1---tadigipeniroropudilef.pdfIn PDF document text
    • http://bjbtrh.com/files/pic/file/ganemuzebibivifevegon.pdfIn PDF document text
    • https://agrotehholding.ru/wp-content/plugins/super-forms/uploads/php/files/5528a2db689ee2296f3ef02143398e11/60432794423.pdfIn PDF document text
    • http://stomerijindex.nl/images/uploads/24875102697.pdfIn PDF document text
    • http://robodit.ru/kcfinder/upload/files/rivamakilofuwogufakid.pdfIn PDF document text
    • http://perfecturology.cafe24.com/upload/editor/imagefile/63981405130.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    +4 more URL(s)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000600de.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x600DE 16560 bytes
SHA-256: 924ad5cb737cfd9a34472b2046831991df4d3950e5f0d7b552a18309318c2ee9
font_01_sfnt_off000617fe.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x617FE 11012 bytes
SHA-256: c8d00b67ea980e8cbe6f8d95470fba6169d4e248610e5b370d59e068ab31de87
font_02_sfnt_off00063193.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x63193 16960 bytes
SHA-256: 9375f4380cc5bb909d3e706614df061d4e4df4e6ea44796f56ab1237b9ad038c