Malicious PDF — malware analysis report

Static analysis result for SHA-256 2f17676721a51973…

MALICIOUS

PDF

262.7 KB Created: 2022-04-19 16:28:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-06-08
MD5: 619b3686fb797ae9a5c7814557acf087 SHA-1: 8939fe952499292cf2f4a29afd12a705c0b2273c SHA-256: 2f17676721a51973c122f7a665d014b18d5194a0ac46d7ad50548b37407774da
174 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.8006

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://sunuf.co.za/XSRYdR1H?utm_term=cancer+de+esofago+cirugia+pdf PDF link annotation
    • http://seatraderhk.com/userfiles/62042123711.pdfIn PDF document text
    • https://www.carlosfunes.es/wp-content/plugins/formcraft/file-upload/server/content/files/16212036aeb6e6---75709541672.pdfIn PDF document text
    • https://projetovm.com/uploads/files/kodilifabujemugijegajenes.pdfIn PDF document text
    • http://falconartistmanagement.com/ckfinder/userfiles/files/voxif.pdfIn PDF document text
    • https://jensbrode.de/files/file/tukafagiwape.pdfIn PDF document text
    • http://7serve.org/userfiles/file/20220419021802.pdfIn PDF document text
    • https://siwepuxerit.weebly.com/uploads/1/3/0/7/130775843/dukodamam.pdfIn PDF document text
    • https://www.andimoda.com/wp-content/plugins/super-forms/uploads/php/files/15120a95babdc58aa0892b2d4005c3a5/76099531130.pdfIn PDF document text
    • http://darelbachra.com/app/webroot/js/kcfinder/upload/files/jajiza.pdfIn PDF document text
    • https://silky.ae/images/bulk_images/files/kuvifesoxiv.pdfIn PDF document text
    • http://satcomlink.com/userData/board/file/43644790096.pdfIn PDF document text
    • https://xupazipul.weebly.com/uploads/1/3/5/3/135325103/e16b7fcf.pdfIn PDF document text
    • http://gazetavk.ru/img/file/53438337914.pdfIn PDF document text
    • http://lalitas-thaimassage-spa.de/wp-content/plugins/formcraft/file-upload/server/content/files/161f8eb95de701---51858253011.pdfIn PDF document text
    • http://safrano.pl/userfiles/file/26988386738.pdfIn PDF document text
    • https://www.amazoniaon.com.br/assets/js/ckeditor/kcfinder/upload/files/verusubomi.pdfIn PDF document text
    • http://festacreativita.org/userfiles/file/98893758112.pdfIn PDF document text
    • http://www.absolutecateringla.com/wp-content/plugins/formcraft/file-upload/server/content/files/16242c01a256d3---sukikenubunotukol.pdfIn PDF document text
    • http://zjgjqmr.com/v15/Upload/file/202232748136264.pdfIn PDF document text
    • https://heks-tech.com/app/webroot/userfiles/files/5500237385.pdfIn PDF document text
    • http://snc.easy-event.net/img/uploads/files/vagab.pdfIn PDF document text
    • http://sun-apartments.pl/data/pages/3806967558.pdfIn PDF document text
    • http://remaining-mc.de/userfiles/file/tixefizubeduwapa.pdfIn PDF document text
    • https://janilunulosuga.weebly.com/uploads/1/3/0/7/130739392/4704232.pdfIn PDF document text
    • http://shosholoza.de/file/vebipituvabesafe.pdfIn PDF document text
    • http://saeronbio.com/userData/board/file/25451387989.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0003a7fc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3A7FC 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0003c013.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3C013 10784 bytes
SHA-256: fda78fbafd31996ce77c070864d35f021c3f641d898a2c2bfeb42fe15685e085
font_02_sfnt_off0003d8ce.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3D8CE 20268 bytes
SHA-256: 9f108c1120d246e9616b3a83ef7998ed6c79e62a3b92c2b38335dd604195140e