Malicious PDF — malware analysis report

Static analysis result for SHA-256 3dd5652570c81978…

MALICIOUS

PDF

227.3 KB Created: 2022-04-19 06:16:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-06-26
MD5: 3094c2505b5ae9e8b94ecc0847a2fbb2 SHA-1: ef98426d8921b94989b68fc1828be06e0f542b35 SHA-256: 3dd5652570c819781a1bf5f8fe73f8502da6f4b89d382c40e592119bd7d0715d
112 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.8279

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • SEO-redirector lure link (multi-word utm_term) low PDF_SEO_UTM_REDIRECTOR_LINK
    PDF contains a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the search-keyword gateway used by the 'free document download' phishing family. Surfaced as an IOC; on its own this is a low-confidence signal.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lazav.co.za/XSRYdR1H?utm_term=devotional+songs++mr+jatt PDF link annotation
    • https://xn----8sbkguc2dip.xn--07-6kc3bf4angc2g.xn--p1ai/files/files/24690068839.pdfIn PDF document text
    • https://zobujopexa.weebly.com/uploads/1/3/0/9/130969678/7479184.pdfIn PDF document text
    • https://lesikikonojen.weebly.com/uploads/1/3/0/7/130740189/matofugijex.pdfIn PDF document text
    • https://kefelewupu.weebly.com/uploads/1/3/4/7/134711224/sanogomigika.pdfIn PDF document text
    • https://ppic.net-line.pl/www/js/kcfinder/upload/files/buderoboguwoleleki.pdfIn PDF document text
    • http://dury114.com/userData/ebizro_board/file/lurok.pdfIn PDF document text
    • https://xefavona.weebly.com/uploads/1/3/4/4/134463094/rofat.pdfIn PDF document text
    • https://crushersnepal.com/admin/uploads/files/retej.pdfIn PDF document text
    • http://5thaveseniors.org/userfiles/file/kosawiwajezagubiguv.pdfIn PDF document text
    • http://www.wcd.com.tw/ezadmin/ckfinder/userfiles/files/48246184609.pdfIn PDF document text
    • https://greenways.at/userfiles/file/17546685921.pdfIn PDF document text
    • http://tvcsoltau.de/userfiles/file/wakilurebit.pdfIn PDF document text
    • https://kirojimetazabo.weebly.com/uploads/1/4/1/3/141300328/2900272d875.pdfIn PDF document text
    • https://rafoduju.weebly.com/uploads/1/3/4/6/134680113/5838256.pdfIn PDF document text
    • http://parquet-cortes.fr/data/Files/renowopawevebu.pdfIn PDF document text
    • https://zemedefikejo.weebly.com/uploads/1/3/4/0/134040876/vapili-sefazuninotuf.pdfIn PDF document text
    • https://godanikepogi.weebly.com/uploads/1/3/4/5/134509841/e0d13a21799.pdfIn PDF document text
    • https://robvandamfoto.nl/UserFiles/files/notumemifa.pdfIn PDF document text
    • https://bololadagulit.weebly.com/uploads/1/3/5/3/135348095/712735.pdfIn PDF document text
    • https://fesakakosirin.weebly.com/uploads/1/3/6/0/136015409/toxapukom_kuwabebuxenepe.pdfIn PDF document text
    • http://www.asbea.org.br/assets/plugins/kcfinder/upload/files/basareputekal.pdfIn PDF document text
    • https://xogedanubukojoj.weebly.com/uploads/1/3/4/4/134491538/8596942.pdfIn PDF document text
    • https://gedobelega.weebly.com/uploads/1/3/4/3/134375191/3815830.pdfIn PDF document text
    • http://stnicholasway.com/userfiles/file/fiduboborosafilixujixij.pdfIn PDF document text
    • https://lavozeto.weebly.com/uploads/1/3/0/7/130775819/lisusodope.pdfIn PDF document text
    • https://www.assofmt.org/ckfinder/userfiles/files/83298435560.pdfIn PDF document text
    • https://vebamumu.weebly.com/uploads/1/3/4/7/134730259/7343716.pdfIn PDF document text
    • https://kimodoximotoden.weebly.com/uploads/1/3/1/8/131856266/wopojuwutananikela.pdfIn PDF document text
    • https://rotemewan.weebly.com/uploads/1/3/1/3/131380756/342724.pdfIn PDF document text
    • http://habitat3.eu/userfiles/files/ruwumidegurub.pdfIn PDF document text
    • https://vidasukesidi.weebly.com/uploads/1/3/4/7/134731400/zusexab.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0003202d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3202D 10648 bytes
SHA-256: 569cb4b0240f27cef9221a8d041d73ef8c178d49c53b989e7433c0a148d62055
font_01_sfnt_off00033884.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x33884 17616 bytes
SHA-256: 8ee611b7b42d0c3bdfb550c6ddb64948c94ce3e2a79c080006840e8860fba627
font_02_sfnt_off00036654.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x36654 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1