Malicious PDF — malware analysis report

Static analysis result for SHA-256 3e2cad4428252eec…

MALICIOUS

PDF

100.2 KB Created: 2021-06-26 07:11:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-06-05
MD5: 36db0c90f34346afa4e3c88a2bd4d376 SHA-1: 8cc38da462fa93272005fb313f9cd422f3874a44 SHA-256: 3e2cad4428252eecd65fa5bf263348f835c3fb7d410010914b4723fc7f7f2423
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of links, many pointing to compromised WordPress sites, indicating a link farm or SEO poisoning attempt. The ML classifier strongly flagged this PDF as malicious. While no scripts were extracted, the structure and URL patterns suggest a malicious intent to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9909

Heuristics 5

  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://petroblend.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bccfacc7ee3---zulumobadudenewunep.pdf In PDF document text
    • http://www.fotografoeventimilano.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c20d8ddd002---pikatewiwikagazixovu.pdfIn PDF document text
    • https://benjamindreyer.com/wp-content/plugins/super-forms/uploads/php/files/ed0bcbd78e6d62fea4d67651f9a0453a/83201784471.pdfIn PDF document text
    • https://digidatadecolombia.com/wp-content/plugins/super-forms/uploads/php/files/a21441fc4459db4d144ff9068db613c8/8532072312.pdfIn PDF document text
    • http://topopentertainment.com/wp-content/plugins/formcraft/file-upload/server/content/files/160752bde59a17---fogudijonite.pdfIn PDF document text
    • https://apparel.allianceflooring.net/wp-content/plugins/super-forms/uploads/php/files/7a69e08c8da2f0ceb2a205e77c5a8518/18678472383.pdfIn PDF document text
    • https://www.reliancecareuk.com/wp-content/plugins/super-forms/uploads/php/files/dcfba664c9fe04a52dead64f6cff2850/80322124797.pdfIn PDF document text
    • https://discoverapartmentsforrent.com/wp-content/plugins/super-forms/uploads/php/files/028b13a7ad6b2678514f29d26c974f8f/netefukudubitafexozu.pdfIn PDF document text
    • https://lesfeesdelhetre.fr/upload/files/1122321566.pdfIn PDF document text
    • https://angel-juicer.com/FileData/ckfinder/files/20210618_F7EC1C6F84562AF1.pdfIn PDF document text
    • https://www.davidcosz.de/wp-content/plugins/super-forms/uploads/php/files/8f7u05egkuc99pfcl5mr9a7qij/86317245249.pdfIn PDF document text
    • http://gulfcoolcontracting.com/uploads/userfiles/file/file/muvopiliwuwisames.pdfIn PDF document text
    • http://www.training4thefuture.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160c118055c1b3---tujimujakisozip.pdfIn PDF document text
    • http://meyergarden.com/ckfinder/userfiles/files/91397864762.pdfIn PDF document text
    • https://mamproducciones.es/wp-content/plugins/formcraft/file-upload/server/content/files/1606f5edac7b5b---figoxatugamovozeti.pdfIn PDF document text
    • http://steelbo.com/uploads/admins/u0/files/20210613012619.pdfIn PDF document text
    • http://www.kzhep.in.ua/wp-content/plugins/super-forms/uploads/php/files/11cojabvi5b24s410g5l22o8r7/70195096671.pdfIn PDF document text
    • https://www.booster-p.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a1d1a20d98b---95846022664.pdfIn PDF document text
    • https://nationalcardsolutions.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d3a9b1978b2---31401986817.pdfIn PDF document text
    • https://home18.ru/wp-content/plugins/super-forms/uploads/php/files/cc39224d7f110886caa77e8d72a8abf2/89829063247.pdfIn PDF document text
    • http://playeasypiano.com/resources/fck_images/xabovuzu.pdfIn PDF document text
    • https://abugfreemind.com/userfiles/file/59161806264.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/YTWXjIUwRh0/uplcv?utm_term=swimming+pool+lessonsPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0001089c.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1089C 18516 bytes
SHA-256: cca8550792c38f4bdb6e93e5d4d297405751d56beec2bf67dac283cb10bbd51b
font_01_sfnt_off000125b8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x125B8 10396 bytes
SHA-256: 1c190ac82e03b389a1aa649c8f2bb850cfcd94fac85974406e431bb8b9c07470
font_02_sfnt_off00013d2e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13D2E 18152 bytes
SHA-256: 5026fd25765134a0af7e5c9d08f85e9003ed6723ad9a14d6397d7cc037fd0efd
font_03_sfnt_off00016b19.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16B19 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1

Open this report in the interactive analyzer, or submit your own file for analysis.