Malicious PDF — malware analysis report

Static analysis result for SHA-256 3dd803305ec1a712…

MALICIOUS

PDF

460.2 KB Created: 2022-03-05 08:26:55 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-06-26
MD5: 0cb87b2b2e6d970b7873d70fedbe1680 SHA-1: 8367eef8eb695c5beef9c294608d9221c0bb0e9a SHA-256: 3dd803305ec1a7124053e1af5f1cd1a4d8c654fed218892c406552211fb0edad
174 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.5466

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ragaz.co.za/XSRYdR1H?utm_term=comparative+degree+of+adjectives+worksheets PDF link annotation
    • http://professionalcsali.hu/admin/ckeditor/kcfinder/upload/files/guzujivaninizubesikurij.pdfIn PDF document text
    • http://chinahongji.com/d/files/nulixon.pdfIn PDF document text
    • https://karatenarrewarren.com.au/ckfinder/userfiles/files/dadolugewunejam.pdfIn PDF document text
    • http://maszyny.pl/userfiles/file/27543576622.pdfIn PDF document text
    • http://3e-recycling.ru/app/webroot/filesfiles/11144999996.pdfIn PDF document text
    • https://y3stwk65l-mn9.com/contents/files/54313454145.pdfIn PDF document text
    • http://vikingpaint.com/user_file/file/kegupenusogelogodubobati.pdfIn PDF document text
    • http://www.hj-bouwt.be/wp-content/plugins/formcraft/file-upload/server/content/files/161ffff76bdb76---5664279317.pdfIn PDF document text
    • http://www.emporiocaritaspisa.it/wordpress/wp-content/plugins/formcraft/file-upload/server/content/files/1620a8eb8a1f91---winuderem.pdfIn PDF document text
    • https://erdenet.mn/userfiles/file/94248122712.pdfIn PDF document text
    • https://cmri.ckbirlahospitals.com/controlpanel/kcfinder/upload/files/sevumeruromomabojap.pdfIn PDF document text
    • http://capitaldanceacademy.com/userfiles/files/subamupujefazax.pdfIn PDF document text
    • https://pastelbuilders.com/userfiles/file/bobarevamogizoxivuduzixeg.pdfIn PDF document text
    • http://oneself.pro/wp-content/plugins/formcraft/file-upload/server/content/files/16205084500c5e---9096874296.pdfIn PDF document text
    • https://netiko.ge/img/Data/file/vugizezi.pdfIn PDF document text
    • https://www.geosuiteonline.de/wp-content/plugins/formcraft/file-upload/server/content/files/16215680e849e4---gibamip.pdfIn PDF document text
    • https://dianthusindustrial.com/resimler/files/wokawawavaku.pdfIn PDF document text
    • http://leaguengn.com/userfiles/file///70924897182.pdfIn PDF document text
    • http://cheliabinsk.realxenon.ru/uploads/files/25270761835.pdfIn PDF document text
    • http://afgesproken.nl/kcfinder/upload/files/fegova.pdfIn PDF document text
    • http://cctsw.net/whly/up_files/FCK/file/20220207_220039_100.pdfIn PDF document text
    • https://xn--78-6kce7dfhb9dwb.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/5476f1a63f7fe3df8b94aebeb1bcd069/29239169997.pdfIn PDF document text
    • http://bernendorf.ru/userfiles/file/ginuzipovewizofon.pdfIn PDF document text
    • https://aukshanya.promosing.com/alpha/ckfinder/userfiles/files/96808669843.pdfIn PDF document text
    • https://tvmreza.tv/ckfinder/userfiles/files/sebugaxomamudoranilo.pdfIn PDF document text
    • http://sendedianqi.com/upload_fck/file/2022-2-25/20220225175535794664.pdfIn PDF document text
    • http://lionsmarsala.it/userfiles/files/filusasojade.pdfIn PDF document text
    • http://rcchoir.nl/upload/files/rirukofiwop.pdfIn PDF document text
    • https://www.peace4r.com/assets/admin_panel/js/kcfinder/upload/files/xewurojefikum.pdfIn PDF document text
    • http://kapfenberger-schuetzenverein.at/userfiles/file/wepis.pdfIn PDF document text
    • http://scpt.it/userfiles/files/goleredetiruwejux.pdfIn PDF document text
    • https://www.propertymegamart.in/admin/ckeditor/kcfinder/upload/files/27351558010.pdfIn PDF document text
    • https://kubermatkaplay.com/ckfinder/userfiles/files/vewumu.pdfIn PDF document text
    • http://ih-consultant.com/ckfinder/userfiles/files/woxewobutuji.pdfIn PDF document text
    • http://avsa.org/sites/default/files/images/files/nafafufitofusapawasen.pdfIn PDF document text
    • https://www.sesc.com.ua/wp-content/plugins/super-forms/uploads/php/files/4vrqmlddi7c83mg975b3h0l3p2/pukekexuguwibenibomep.pdfIn PDF document text
    • http://xn--9i1b14l32gg2dsybq3b.com/upload/fckeditor/file/gibamosowovusetogu.pdfIn PDF document text
    • http://polenes.cl/userfiles/file/22776733943.pdfIn PDF document text
    • http://kindergartenhelden.at/upload/file/76082342187.pdfIn PDF document text
    • https://a-guskov.ru/uploads/files/55033182192.pdfIn PDF document text
    • http://valleytechltd.com/assets/ckeditor/kcfinder/upload/files/85845035179.pdfIn PDF document text
    • http://www.salda.se/saldus/kcfinder/upload/files/83981637791.pdfIn PDF document text
    • https://drddvichitra.com/userfiles/file/dalagofubolikaviwiz.pdfIn PDF document text
    • http://batiment-tunisie.com/userfiles/file/64934489960.pdfIn PDF document text
    • http://colleges-in-tamilnadu.com/FCKeditor/userfiles/file/14951062326.pdfIn PDF document text
    • http://dabien.co.kr/wp-content/plugins/formcraft/file-upload/server/content/files/1621f0f0b0e749---buxelixukupamazifiju.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    +5 more URL(s)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0006c1af.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6C1AF 16560 bytes
SHA-256: 924ad5cb737cfd9a34472b2046831991df4d3950e5f0d7b552a18309318c2ee9
font_01_sfnt_off0006d8cf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6D8CF 11320 bytes
SHA-256: 0396011eb6abf71e2d70257dbfdf81fe2bdf1ac8fe6ac35a6cae2b15fc74882d
font_02_sfnt_off0006f357.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6F357 17144 bytes
SHA-256: 3a54f03b01eaee71969141f9d59b92eb2fe813845a3022b61b67b96fe53aa947