Malicious PDF — malware analysis report

Static analysis result for SHA-256 2b6a069a16d95970…

MALICIOUS

PDF

465.1 KB Created: 2022-04-13 03:31:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-06-17
MD5: 6ff8cb544f951f89ffd82d961b22b10b SHA-1: 9c8d5e033a2c7f05f2b9eb69c1e593d20358f6e2 SHA-256: 2b6a069a16d95970e342e1fceda5e305bab45779faa5490044c8a08878bd03b0
106 Risk Score

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4057

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yoyep.co.za/XSRYdR1H?utm_term=vocalise+cello+sheet+music PDF link annotation
    • https://jejojoroliwe.weebly.com/uploads/1/3/4/3/134310913/d35fb60b0beac.pdfIn PDF document text
    • https://ravotevasubi.weebly.com/uploads/1/4/1/2/141218164/vodimo.pdfIn PDF document text
    • https://gumopokexu.weebly.com/uploads/1/3/0/8/130814161/ce6a73f496e83.pdfIn PDF document text
    • https://dorugemapakew.weebly.com/uploads/1/3/4/6/134680888/3815663.pdfIn PDF document text
    • https://kinumonitebira.weebly.com/uploads/1/3/4/6/134605003/0634f4e85.pdfIn PDF document text
    • https://xojakonokixamu.weebly.com/uploads/1/3/1/1/131164577/7271403.pdfIn PDF document text
    • https://birisudim.weebly.com/uploads/1/3/4/4/134467091/lelinaven.pdfIn PDF document text
    • https://xatawelakobij.weebly.com/uploads/1/3/4/6/134685719/ac70a2c7d92c5a.pdfIn PDF document text
    • https://zomedavox.weebly.com/uploads/1/3/4/3/134392748/baxuviwosebijifop.pdfIn PDF document text
    • https://jurujixomegisi.weebly.com/uploads/1/3/4/7/134745805/2612975.pdfIn PDF document text
    • https://rosuxemu.weebly.com/uploads/1/3/0/7/130776582/mosozipelazi.pdfIn PDF document text
    • https://logosomuzabi.weebly.com/uploads/1/3/0/9/130969340/6781586.pdfIn PDF document text
    • https://fibepuranes.weebly.com/uploads/1/3/4/0/134041348/c2ef3dfbf57.pdfIn PDF document text
    • https://nuzaxuneri.weebly.com/uploads/1/3/4/3/134385168/7040577.pdfIn PDF document text
    • https://sajakuzotile.weebly.com/uploads/1/3/1/0/131071181/fuzub_lusosewikoro.pdfIn PDF document text
    • https://danikobunib.weebly.com/uploads/1/3/4/7/134755608/3c31d2c9.pdfIn PDF document text
    • https://lodewaga.weebly.com/uploads/1/3/7/5/137518990/5fd796.pdfIn PDF document text
    • https://gavatuwideziwi.weebly.com/uploads/1/3/4/3/134352821/9bc0d8.pdfIn PDF document text
    • https://nakoginav.weebly.com/uploads/1/3/0/7/130776809/4242937.pdfIn PDF document text
    • https://pobebuzajo.weebly.com/uploads/1/3/4/6/134677480/nenifirewidazi-febuzujonuwo-kirajalonole.pdfIn PDF document text
    • https://nopovufarake.weebly.com/uploads/1/3/1/3/131379277/mevasivazimi.pdfIn PDF document text
    • https://wejilosadala.weebly.com/uploads/1/3/0/8/130815097/bijolisolofamo-junisan-davujoretuvu-vapakufugesa.pdfIn PDF document text
    • https://kamujepepafiga.weebly.com/uploads/1/3/0/7/130775209/bokedimixar.pdfIn PDF document text
    • https://zujetopefij.weebly.com/uploads/1/3/4/7/134766602/6a6ec710f3e3ff6.pdfIn PDF document text
    • https://rokegijigu.weebly.com/uploads/1/3/5/9/135978077/7011688.pdfIn PDF document text
    • https://fexopemupa.weebly.com/uploads/1/4/1/2/141260146/pexanixiwa.pdfIn PDF document text
    • https://bunikesetula.weebly.com/uploads/1/3/0/7/130739723/f82e44.pdfIn PDF document text
    • https://guxovegetixewaz.weebly.com/uploads/1/3/2/3/132302910/3588596.pdfIn PDF document text
    • https://luresigixake.weebly.com/uploads/1/3/5/2/135294948/b2537ef.pdfIn PDF document text
    • https://kopezufotixese.weebly.com/uploads/1/3/1/1/131164020/juxuwunutik-jijik-kiworukek-liragilatizege.pdfIn PDF document text
    • https://pevomoten.weebly.com/uploads/1/3/4/6/134626000/9006707.pdfIn PDF document text
    • https://tetulivul.weebly.com/uploads/1/3/4/4/134401277/moloxozinumal_zerasofimobevud_pabatelop.pdfIn PDF document text
    • https://vedemolo.weebly.com/uploads/1/3/4/7/134702866/7c778e4b86d50f.pdfIn PDF document text
    • https://lakadepoti.weebly.com/uploads/1/3/5/3/135301691/vediwurefovaga_nulijaxax_turadujudowoxe.pdfIn PDF document text
    • https://maruvape.weebly.com/uploads/1/3/4/8/134854924/3ac28.pdfIn PDF document text
    • https://pejigikiwup.weebly.com/uploads/1/4/1/3/141327260/dinokigitunelonexive.pdfIn PDF document text
    • https://mumetimobenuja.weebly.com/uploads/1/3/2/3/132302956/jubuna_tevemit_xaxopitotoxu.pdfIn PDF document text
    • https://xivetebutago.weebly.com/uploads/1/3/4/7/134737957/7f5b1d7.pdfIn PDF document text
    • https://pajolabu.weebly.com/uploads/1/3/4/4/134482361/378106.pdfIn PDF document text
    • https://vifoluliguj.weebly.com/uploads/1/3/1/4/131437350/karopukew.pdfIn PDF document text
    • https://xuxijewurinawux.weebly.com/uploads/1/3/4/6/134699439/c944ad580.pdfIn PDF document text
    • https://webunufilijamo.weebly.com/uploads/1/3/4/6/134677486/mirulixefaje-jorum.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    +1 more URL(s)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0006d14a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6D14A 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0006e95c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6E95C 19204 bytes
SHA-256: 15f4881da3bc551660ea1f3c7d00f2afb3968a53248a32f1590544c5360d08f7
font_02_sfnt_off00071c4e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x71C4E 10360 bytes
SHA-256: 828fc90663eb5740ce633caf10b0981ba89438db7e70c797e8b9814a75fa5261

Open this report in the interactive analyzer, or submit your own file for analysis.