PDF malware analysis — malicious · 42587c12a5f3db16

MALICIOUS

PDF

347.1 KB Created: 2022-02-08 02:56:45 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-06-15

MD5: 516a002b56527abfe3891bc0e003e301 SHA-1: 2452b696eea9950c94ed28ead9baf43b80e8217c SHA-256: 42587c12a5f3db16cbc92856959f320442f023045edaded1cc79ece696b42f86

182 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains embedded JavaScript and links to external URLs, one of which is identified as an SEO redirector for a 'free-download phishing' lure. ClamAV also detected this file as a phishing trojan. The presence of embedded JavaScript suggests an attempt to execute malicious code, likely to download a second-stage payload from the provided URLs.

Machine Learning

Nyx PDF Classifier malicious score 0.7480

Heuristics 8

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK

PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://sunuf.co.za/XSRYdR1H?utm_term=hoshin+kanri+template+excel PDF link annotation
- http://vibestedu.com/_UploadFile/Images/file/topadat.pdfIn PDF document text
- http://autoscuolavalerio.it/userfiles/files/tejegilexitowukogowupaba.pdfIn PDF document text
- https://directprocessors.com/wp-content/plugins/formcraft/file-upload/server/content/files/16102780370a45---99305937540.pdfIn PDF document text
- http://hoadondientu-ptp.vn/images/ckeditor/files/zosivokonoronogero.pdfIn PDF document text
- https://temporar.mirceaseminee.ro/printuri-fi/files/79309160658.pdfIn PDF document text
- https://nbcmedia.vn/ckfinder/userfiles/files/30386253025.pdfIn PDF document text
- http://precisionsurgicalworks.com/alpha/ckfinder/userfiles/files/46406566205.pdfIn PDF document text
- http://asesoriagarpe.com/wp-content/plugins/formcraft/file-upload/server/content/files/1611f0ac7aaa2e---62563311222.pdfIn PDF document text
- http://nesthomes.in/userfiles/file/16140454861.pdfIn PDF document text
- http://cathugo-yachts.de/res/wysiwyg/file/gijiwilotujeduzetetu.pdfIn PDF document text
- http://xn--80aiddhbkcq5bcaz.xn--p1ai/upload/files/47167696415.pdfIn PDF document text
- https://coherence.cz/userfiles/file/91752904497.pdfIn PDF document text
- http://henanshuangxin.com/d/files/4667589677.pdfIn PDF document text
- http://74ahs.com/clients/2/2a/2a132ee8da0778863662fd4b1fa251ed/File/rijikuw.pdfIn PDF document text
- https://xn--bren-mgenwil-gcbf.ch/sites/default/files/fck-uploads/file/12436187367.pdfIn PDF document text
- https://bahia-group.com/ckfinder/userfiles/files/mozelokipoliratuna.pdfIn PDF document text
- http://www.leads-bd.org/app/webroot/js/ckfinder/userfiles/files/nizapar.pdfIn PDF document text
- http://kruengrangthai.com/files/files/14152108004.pdfIn PDF document text
- https://www.akita-tourism.com/assets/admin/plugins/kcfinder/files/vobaxigepiwuwu.pdfIn PDF document text
- http://desimlockage-telephone.fr/userfiles/file/segapanodimelubikoku.pdfIn PDF document text
- http://elitaliaweb.it/upload/file/jezusemoxidubinerum.pdfIn PDF document text
- https://ptkas.com/kingkong/userfiles/files/28213849732.pdfIn PDF document text
- http://galluccifaibano.com/userfiles/file/51643040260.pdfIn PDF document text
- http://mikol-styl.cz/userfiles/file/xisikalibefizusu.pdfIn PDF document text
- https://traffictkt.com/viking1/uploads/files/86213164513.pdfIn PDF document text
- https://munis-roquesalbes.cat/demo/vilalba/imatges/file/37796974154.pdfIn PDF document text
- http://xn--80aer5aza.xn----htbdepbihnfb8cyg.xn--p1ai/ckfinder/userfiles/files/29686105904.pdfIn PDF document text
- http://topclinique.ma/kcfinder/upload/files/65648600411.pdfIn PDF document text
- http://xn--90ad5ackt1d.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/237bf74e62d8b6d29633d83a067412fa/18557678642.pdfIn PDF document text
- https://szabolcsipeter.com/userfiles/file/44364769427.pdfIn PDF document text
- https://nicemexico.net/wp-content/plugins/formcraft/file-upload/server/content/files/16170c145969dd---2918717917.pdfIn PDF document text
- http://sirindhorn.net/upload/File/44678889864.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0004feba.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4FEBA	16560 bytes
SHA-256: `924ad5cb737cfd9a34472b2046831991df4d3950e5f0d7b552a18309318c2ee9`
`font_01_sfnt_off000515da.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x515DA	10824 bytes
SHA-256: `e7025fdfa838356c7dd7e9ebd7f7b5a9aee0929a417873bf0edc5a399fed0501`
`font_02_sfnt_off00052e9e.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x52E9E	17828 bytes
SHA-256: `dbfeefb60a78ef20d4438b30ea611e9b113a56a283afe61563ae84d052f35ec3`

Open this report in the interactive analyzer, or submit your own file for analysis.