Malicious PDF — malware analysis report

Static analysis result for SHA-256 3dd6f09f1be0a3bb…

MALICIOUS

PDF

217.6 KB Created: 2022-04-16 15:56:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-06-26
MD5: 663b874450817d674c91d014db11c78d SHA-1: c9e3d8b9df9a58af56aa964f82b334fadac1f53d SHA-256: 3dd6f09f1be0a3bb2ec27bcc1038ef2bbf57be8dd77d569f2c70c3a7d7f3f4dd
174 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.6786

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ragaz.co.za/XSRYdR1H?utm_term=empty+license+plate+template PDF link annotation
    • https://www.mercato.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/162130230bd0c7---2922971719.pdfIn PDF document text
    • http://yuhenganquan.com/userfiles/file/20220226170445_1257776602.pdfIn PDF document text
    • http://controlsystemco.com/cache/fck_files/file/luvoxazux.pdfIn PDF document text
    • http://rjbmachinery.com/d/files/bogigejapus.pdfIn PDF document text
    • https://foodphotoshop.com/userfiles/files/58018501245.pdfIn PDF document text
    • http://vladekoservis.ru/files/ladifedoboziv.pdfIn PDF document text
    • http://erfolgsapp.de/wp-content/plugins/formcraft/file-upload/server/content/files/1623a8bd08e5ae---zulalize.pdfIn PDF document text
    • http://domosplast.hu/files/file/suvofufad.pdfIn PDF document text
    • https://tlproduct.com/userfiles/file/fukukidisunifixetodof.pdfIn PDF document text
    • http://iba.education/kcfinder/upload/files/69822662596.pdfIn PDF document text
    • http://iwakuniyumiya.com/js/kcfinder/upload/files/9954501685.pdfIn PDF document text
    • https://vitojeji.weebly.com/uploads/1/3/1/4/131453493/tujuloropudexu.pdfIn PDF document text
    • https://ijp2.com/contents/files/81467543069.pdfIn PDF document text
    • http://basic-55.su/kcfinder/upload/files/82834947312.pdfIn PDF document text
    • http://dh-cell.com/ckfinder/userfiles/files/45258152938.pdfIn PDF document text
    • http://www.krishnashouse.com/ckeditor/kcfinder/upload/files/61985060720.pdfIn PDF document text
    • http://giovanniseneca.eu/userfiles/files/23524970588.pdfIn PDF document text
    • http://annuaire-regional.com/ckfinder/userfiles/files/88019683453.pdfIn PDF document text
    • https://wilubiluzitewi.weebly.com/uploads/1/3/1/4/131413550/e63fdb0e78.pdfIn PDF document text
    • http://giustizianuova.it/userfiles/file/61965093410.pdfIn PDF document text
    • http://xtra360.net/campannas/file/43483176019.pdfIn PDF document text
    • http://www.optionassurance.ca/wp-content/plugins/formcraft/file-upload/server/content/files/162430ecff19e5---4622245125.pdfIn PDF document text
    • http://ark-mr.com/data/home/qxu2063190031/htdocs/uploadfile/files/76755579946.pdfIn PDF document text
    • http://garderoba.sk/images/_file/gelemiwik.pdfIn PDF document text
    • https://dulexarupiwaju.weebly.com/uploads/1/3/3/9/133986428/8044061.pdfIn PDF document text
    • http://www.bestofasco.cz/upload/files/85453172719.pdfIn PDF document text
    • http://nguyenthaotech.com/upload/files/22082064149.pdfIn PDF document text
    • http://dps-bayside.com/uploadfile/editor/file/20220203215459156.pdfIn PDF document text
    • http://filtrydokoparek.pl/img/all/27777157366.pdfIn PDF document text
    • http://designbyjoseph.com/uploads/File/pekowulebezozileko.pdfIn PDF document text
    • https://aymexco.ro/ckfinder/userfiles/files/vokatetupupawanedoro.pdfIn PDF document text
    • http://premiosgrupomora.com/campannas/file/45942833543.pdfIn PDF document text
    • http://kipia-nn.ru/userfiles/file/pegotixo.pdfIn PDF document text
    • http://www.timtransportes.com/home/wp-content/plugins/formcraft/file-upload/server/content/files/16243a1941a7ab---zejopafe.pdfIn PDF document text
    • http://ark-mr.com/data/home/qxu2063190031/htdocs/uploadfile/files/61699548061.pdfIn PDF document text
    • https://www.kiemtoandongnghi.com/public/plugins/ckfinder/userfiles/files/81906475190.pdfIn PDF document text
    • http://customartdirect.com/kcfinder/upload/files/43043392145.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002f8d2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2F8D2 17748 bytes
SHA-256: 4208d6580375b204c2b18716f84ea30a603e7a3899d2b8c8af5ed9617a2a2d14
font_01_sfnt_off00032676.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x32676 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off00033e8d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x33E8D 10412 bytes
SHA-256: 3b79d7d9900e7a939707a2d9dcc0f33d601f8f440187bd887ee18d77760b2e77

Open this report in the interactive analyzer, or submit your own file for analysis.