Malicious PDF — malware analysis report

Static analysis result for SHA-256 22793b1644e7a3ae…

MALICIOUS

PDF

68.0 KB Created: 2021-05-16 10:57:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-04
MD5: 0c32b714a24d54df8838b95e8d03bbff SHA-1: b5c25d148ca1bc73d7b3eeecdd201175b0862ad2 SHA-256: 22793b1644e7a3ae7e6bd48629736f59da25162f93ec1d48e6131454856a80f0
96 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://njsolarpower.com/wp-content/plugins/super-forms/uploads/php/files/4f8920a2fb302ff199616c4cf6f5d451/64540006468.pdf In PDF document text
    • http://unsersohn.ch/images/file/zikegoloxov.pdfIn PDF document text
    • https://photographerin.agency/wp-content/plugins/super-forms/uploads/php/files/ltil6n43avvkol4jrfh8236pp7/10214542218.pdfIn PDF document text
    • https://joyfool.art/wp-content/plugins/super-forms/uploads/php/files/0b441f1e8f86ab82b5801fbe018ba7a0/17183520914.pdfIn PDF document text
    • https://joefairless.com/wp-content/plugins/super-forms/uploads/php/files/89fe398f48a4da3e30cc9ec76b70c1b1/wodupifoterilolotorogunaw.pdfIn PDF document text
    • https://brunoamaranti.it/wp-content/plugins/super-forms/uploads/php/files/pntcat01trrc4ujhahs3v7o7t2/lekatifizoso.pdfIn PDF document text
    • http://anhuishangbiao.com/upload_fck/file/2021-4-30/20210430125149803064.pdfIn PDF document text
    • https://www.a2zmedical.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160759026b141d---95962875038.pdfIn PDF document text
    • https://youstore21.com/wp-content/plugins/super-forms/uploads/php/files/c24dbf96048d5234b571f880f1d6611b/59431105038.pdfIn PDF document text
    • https://evocative.ru/wp-content/plugins/formcraft/file-upload/server/content/files/1607fa04385ca0---88985471283.pdfIn PDF document text
    • https://greyquotient.com/wp-content/plugins/super-forms/uploads/php/files/00e6ebe96b60525a16cb56b66c4e5e60/guvomigaj.pdfIn PDF document text
    • https://abril.pe/wp-content/plugins/super-forms/uploads/php/files/mcscnnrcc27qe62plkh7upt9f3/74166781508.pdfIn PDF document text
    • https://www.reliancecareuk.com/wp-content/plugins/super-forms/uploads/php/files/faa1c44f8c51016c6cbd919e6e7b7207/69834175369.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/BvfzZFkJO3s/uplcv?utm_term=save+excel+sheet+as+pipe+delimited+filePDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cb20.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCB20 5528 bytes
SHA-256: 4dbfacd22d46869e68f283619bc343ebe3f3a3868fbe5ef221d14f52edad2b0e
font_01_sfnt_off0000ddd5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDDD5 10944 bytes
SHA-256: ecf059f354a2213c0b93232c70ce91feeaffc8a035ebaadd10db3a06f104ac22