Malicious PDF — malware analysis report

Static analysis result for SHA-256 2b64accfb04d9cb7…

MALICIOUS

PDF

86.2 KB Created: 2022-04-08 19:41:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-06-17
MD5: 9c96f37ae2df6cfd87ac4fb6291185b7 SHA-1: 9af6b6168270fef035021f2c3bc468ff07b42a34 SHA-256: 2b64accfb04d9cb73e54120ef8d4c15fb03f38cd58cad0a1018b155801344a53
186 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9984

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mifuj.co.za/YmrXLWy8?keyword=resumen%20del%20libro%20la%20rebelion%20de%20la%20granja%20capitulo%202 PDF link annotation
    • https://sunutefe.weebly.com/uploads/1/3/5/3/135350425/pominuluvoxu.pdfIn PDF document text
    • http://furasskutat.hu/admin/kcfinder/upload/files/jovotubojezobi.pdfIn PDF document text
    • https://tufefuru.weebly.com/uploads/1/3/4/6/134621659/bixeduwusijowunu.pdfIn PDF document text
    • http://aloeverajuice.cz/files/file/jiriwe.pdfIn PDF document text
    • https://xatevixi.weebly.com/uploads/1/3/4/6/134651360/8026316.pdfIn PDF document text
    • http://bpsstudio.hu/uploads/59631629090.pdfIn PDF document text
    • https://pt2-turbo-j3t.com/contents/files/96508675408.pdfIn PDF document text
    • https://botofemuko.weebly.com/uploads/1/3/4/8/134891122/4139184.pdfIn PDF document text
    • https://funudenor.weebly.com/uploads/1/3/4/3/134319253/3676863.pdfIn PDF document text
    • https://roxuvipiga.weebly.com/uploads/1/3/4/6/134637137/zegifilisudujeto.pdfIn PDF document text
    • http://formasrl.com/admin/kcfinder/upload/files/81673028911.pdfIn PDF document text
    • http://skomi.ru/img/files/file/rewotigaragojifekalige.pdfIn PDF document text
    • http://mcenterdk.ru/fck_editor_files/files/mesef.pdfIn PDF document text
    • https://sofupikibir.weebly.com/uploads/1/3/5/3/135302021/lajuv.pdfIn PDF document text
    • https://liberiloro.weebly.com/uploads/1/3/4/5/134589576/7b79b776.pdfIn PDF document text
    • https://ssea.deegbesprofessionalcare.nl/files/File/wuzusudezuxaku.pdfIn PDF document text
    • https://milelujip.weebly.com/uploads/1/3/4/8/134861654/1391664.pdfIn PDF document text
    • https://febapemideb.weebly.com/uploads/1/3/0/7/130738739/8588125.pdfIn PDF document text
    • https://divinenine.net/userfiles/file/74451722666.pdfIn PDF document text
    • https://labukobirexuf.weebly.com/uploads/1/3/7/5/137509753/7871943.pdfIn PDF document text
    • https://dfa-finanz.de/wp-content/plugins/formcraft/file-upload/server/content/files/16239cd26d1c15---41846059474.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eb8f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEB8F 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off000103a6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x103A6 11392 bytes
SHA-256: ed9a8f2cb222f825e9d646fcdcf2017933b6dd4b415bcdaccd26fdc7557b97b4
font_02_sfnt_off00011e0f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11E0F 17600 bytes
SHA-256: cd975a79fd24f463b2c5be727a5edb775e1b5b89fcb15c2fb60ab85970ff62a4

Open this report in the interactive analyzer, or submit your own file for analysis.