Malicious PDF — malware analysis report

Static analysis result for SHA-256 4254f791cf368e0e…

MALICIOUS

PDF

282.1 KB Created: 2022-01-07 13:13:50 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-06-16
MD5: b8fd4f7fa4aa24e33c07670220c1a86b SHA-1: dcfe0fab123829ea41f236dae3180aa6d11b0171 SHA-256: 4254f791cf368e0e4ed15cdd4afedba215d71b0520ef6a79616765227975860a
136 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.8332

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pneusmarene.it/images/file/jutorefedupejamezirij.pdf In PDF document text
    • http://ecocj.com/userfiles/file/20211203004913.pdfIn PDF document text
    • https://eldorado777.ro/upload/editor/file/zubis.pdfIn PDF document text
    • http://akbmodel.com/wp-content/plugins/formcraft/file-upload/server/content/files/161c6aafdb7599---91595013296.pdfIn PDF document text
    • https://stepweystudy.com/ckfinder/userfiles/files/98242297440.pdfIn PDF document text
    • https://highlander-inn.com/assets/userfiles/files/xusurixun.pdfIn PDF document text
    • http://sieckultury.pl/wp-content/plugins/super-forms/uploads/php/files/c4bcd109954afe281cdd32e4fc9f71bd/risud.pdfIn PDF document text
    • http://radiosalsa.fr/php/rs/filesupload/file/14657964048.pdfIn PDF document text
    • http://www.aunay-sous-auneau.fr/ckfinder/userfiles/files/nikepexazosafusex.pdfIn PDF document text
    • https://chulintemple.house-well.com/CKEdit/upload/files/sefebukojewonilimufu.pdfIn PDF document text
    • http://koreapyogo.puruemi.com/userData/affis_board/file/zaralikilotixewutukero.pdfIn PDF document text
    • http://telecycling.org/files/file/tulofekugiderefuxadopib.pdfIn PDF document text
    • https://tresonance.org/uploadfiles/jalopabivonemibarotenen.pdfIn PDF document text
    • http://gyndoktors.de/ckfinder/userfiles/files/13975193658.pdfIn PDF document text
    • http://retailpark.bg/uploads/wysiwyg/files/58816277690.pdfIn PDF document text
    • https://trinityautorepairs.com/uploads/files/tudikebemeb.pdfIn PDF document text
    • https://thietkewebbacninh.com/webroot/img/files/xudujowi.pdfIn PDF document text
    • https://penzion-palice.cz/content/libamasekolabinab.pdfIn PDF document text
    • http://www.bandungmesin.com/file/33225727519.pdfIn PDF document text
    • https://pankajplast.com/ckfinder/userfiles/files/ximuzibimenek.pdfIn PDF document text
    • http://sanjarbek.uz/userfiles/file/lowilafitexulatibe.pdfIn PDF document text
    • http://centralcogtc.com/uploads/file/jovalinerazi.pdfIn PDF document text
    • http://feedproxy.google.com/~r/Xvkpad/~3/BcFPVxLj4jw/uplcv?utm_term=belajar+rumus+vlookup+dan+hlookup+pdfPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0003ff53.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3FF53 16416 bytes
SHA-256: cfa2c3fbce80cc5607e01af033b793d17c57c214fb1d96e845eedea48cccd336
font_01_sfnt_off000415f2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x415F2 16372 bytes
SHA-256: 74afc3e5b892ba8219712d0da18b3ecc6917746330887dbebaa95469f9d0f175
font_02_sfnt_off00044071.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x44071 11012 bytes
SHA-256: b8c842ca421c03f5ac02cb0c973ede2ff0ac5b85f3b0c4e966e7f427803ca16b