Malicious PDF — malware analysis report

Static analysis result for SHA-256 3ddbe0986f48e3af…

MALICIOUS

PDF

280.0 KB Created: 2022-03-17 04:24:46 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-06-26
MD5: 8bdd7a0da3414ad0da4bd65d0b149ac2 SHA-1: 689087de42a932b724d1527aa31a0d96e3b402f9 SHA-256: 3ddbe0986f48e3af53a21d162824e156d1cef2a2e97d26297e748df5ee7934a3
152 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.5130

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • SEO-redirector lure link (multi-word utm_term) low PDF_SEO_UTM_REDIRECTOR_LINK
    PDF contains a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the search-keyword gateway used by the 'free document download' phishing family. Surfaced as an IOC; on its own this is a low-confidence signal.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yoyep.co.za/XSRYdR1H?utm_term=cpanel++free+mac PDF link annotation
    • http://oiseau-bleu-morzine.com/userfiles/file/fezizag.pdfIn PDF document text
    • http://kidilangues.fr/js/kcfinder/upload/files/904905850.pdfIn PDF document text
    • http://inspeq.eu/public/files/37080391196.pdfIn PDF document text
    • http://charmingcurls.se/upload/file/fofadasijegituzosuwefiki.pdfIn PDF document text
    • http://cyc.cz/pictures/clanky/files/xapavubi.pdfIn PDF document text
    • http://www.acs-pack.fr/kcfinder/upload/files/38286047813.pdfIn macro / runtime command snippet
    • http://3m18.com/images/editor/files/zekimoweloxot.pdfIn PDF document text
    • http://www.easemyloan.in/assets/kcfinder/upload/files/mawirojenav.pdfIn PDF document text
    • https://travelbook.kz/kcfinder/upload/files/xasedivosuzanexanezon.pdfIn PDF document text
    • http://sportsbettingconsultants.net/cote_dor_import/admin/ckfinder/userfiles/files/78378178888.pdfIn PDF document text
    • http://studiolorenzino.eu/userfiles/files/15491992480.pdfIn PDF document text
    • http://portalcom-b2b.es/img/user//file/_0171502001646678980.pdfIn PDF document text
    • https://dafelia.com/files/3263536343.pdfIn PDF document text
    • http://schokoladenfontaene.de/idata/vevap.pdfIn PDF document text
    • https://inmaabiladi.com/userfiles/files/dasevipevoweb.pdfIn PDF document text
    • http://siripanyalamphun.com/user_img/files/nopiwolidon.pdfIn PDF document text
    • http://z-sinpro.com/upload/files/tizegebotuvub.pdfIn PDF document text
    • http://satisfytech.com/ck/upload/files/tevawuginew.pdfIn PDF document text
    • https://taxinamdinh.com/data/dulieu/files/63405774175.pdfIn PDF document text
    • http://pnlestari.com/visitbali/image/files/lozesolurirukegugegul.pdfIn PDF document text
    • http://matrix-work.com/uploads/files/35026204469.pdfIn PDF document text
    • http://journeywithmypet.com/ckfinder/userfiles/files/woxusabujojiwakafufelewo.pdfIn PDF document text
    • http://acunambalaj.com/adenoto/upload/files/60248136987.pdfIn PDF document text
    • http://whipitleather.com/userfiles/file/ziragi.pdfIn PDF document text
    • https://mk-promotions.com/ckfinder/userfiles/files/jetitika.pdfIn PDF document text
    • https://www.rogierstoel.nl/wp-content/plugins/super-forms/uploads/php/files/rtqggtgta9k9tfu43mo4gnod1i/15425947823.pdfIn PDF document text
    • http://www.garriagricola.com/wp-content/plugins/formcraft/file-upload/server/content/files/161fa1b7bd73ff---98727223659.pdfIn PDF document text
    • http://kibbkw.com/uploads/file/45295548883.pdfIn PDF document text
    • https://divinenine.net/userfiles/file/sogosobovenojilajevifunap.pdfIn PDF document text
    • http://retailcop.ca/files/mijolinag.pdfIn PDF document text
    • https://michalheger.cz/soubory/files/samubobabitubi.pdfIn PDF document text
    • http://acutecardio.ru/sadm_files/5782141300.pdfIn PDF document text
    • https://resulgame.com/calisma2/files/uploads/45404687146.pdfIn PDF document text
    • https://liad-alger.fr/admin/style/js/edit/kcfinder/..%5Cimages%5Ccontenue/files/pavimoxajolalebosaku.pdfIn PDF document text
    • https://dipinkrishna.com/wp-content/plugins/formcraft/file-upload/server/content/files/1620fcec9506c3---wiwupawimifulunozaxo.pdfIn PDF document text
    • https://www.au-holding.ru/kcfinder/upload/files/62885066704.pdfIn PDF document text
    • https://www.financedeclined.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1621ef11d3206b---12258368866.pdfIn PDF document text
    • https://hockeyplayer.com/userfiles/file/61840702894.pdfIn PDF document text
    • https://webrekruit.com/php_codes/Scott/VieauAssociates/code/userfiles/file/sasun.pdfIn PDF document text
    • https://atlaskvartir.ua/data/uploads/files/wugor.pdfIn PDF document text
    • https://nuregio.de/wp-content/plugins/formcraft/file-upload/server/content/files/16200ad932ccbf---kokopumanowumibipegeraluk.pdfIn PDF document text
    • https://www.massola.com/assets/themes/sbadmin2/ckeditor/kcfinder/upload/files/82313619560.pdfIn PDF document text
    • http://www.nisbd.com/wp-content/plugins/formcraft/file-upload/server/content/files/16209446ec5fbf---nomepafetivawo.pdfIn PDF document text
    • http://dailygiasi.com/uploads/userfiles/file/29721372469.pdfIn PDF document text
    • http://vibingvibes.com/userfiles/files/71001976480.pdfIn PDF document text
    • http://rvmwttc.com/ckeditor/kcfinder/upload/files/86188717915.pdfIn PDF document text
    • http://xaydunghoangthanh.com/img_duhoc/files/89079071395.pdfIn PDF document text
    • https://ceb.lk/assets/js/kcfinder/upload/files/rofirik.pdfIn macro / runtime command snippet
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    +7 more URL(s)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0003f2c0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3F2C0 10196 bytes
SHA-256: b9163a75f60c5dd6aa1526fa449ccf558fc9c1824723834690f3199eeaa0eacf
font_01_sfnt_off00040994.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x40994 18100 bytes
SHA-256: 8cc99822b8c7b9c696270d7bdbb3092c88eb08deac40497b308fa7379c54aafe
font_02_sfnt_off00043884.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x43884 16560 bytes
SHA-256: 924ad5cb737cfd9a34472b2046831991df4d3950e5f0d7b552a18309318c2ee9