Malicious PDF — malware analysis report

Static analysis result for SHA-256 4259c9cf8c198dfc…

MALICIOUS

PDF

384.3 KB Created: 2022-03-09 05:36:47 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-06-16
MD5: 7fc9c7c595490295f234ed24aeae1524 SHA-1: 728b7399fac1392adbab8b7792d71491fa9850c3 SHA-256: 4259c9cf8c198dfc805de325840e897639967727dec8a96cc886cf1b1c757a5c
174 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.5194

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ragaz.co.za/XSRYdR1H?utm_term=pulmonary+embolism+australian+guidelines PDF link annotation
    • http://2016.letnifestiwal.pl/ckfinder/userfiles/files/rabesogiguzopebuk.pdfIn PDF document text
    • https://gemma.lucien-sv.info/uploads/files/622808d02092e.pdfIn PDF document text
    • http://xn----7sbqwxdbhblh2h.xn--p1ai/data/file/62262118821.pdfIn PDF document text
    • http://auxerretv.com/content/public/file/bidowelezivemoruzikitibi.pdfIn PDF document text
    • https://lllk.ru/wp-content/plugins/super-forms/uploads/php/files/cd9e3b6f1c810d5785ca4768c36ca57a/31052882082.pdfIn PDF document text
    • http://cestovni-postylka.eu/userfiles/file/40752261503.pdfIn PDF document text
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/16221461ecfb82---15195315379.pdfIn PDF document text
    • http://churchliferesources.org/wp-content/plugins/formcraft/file-upload/server/content/files/162135ed91d03e---41221894171.pdfIn PDF document text
    • https://kes-stv.ru/wp-content/plugins/super-forms/uploads/php/files/0d3f40f27ae2871c6bc111dad0dfb057/12278809517.pdfIn PDF document text
    • https://contabil-fiscal.ro/mm/file/68228847260.pdfIn PDF document text
    • http://www.biogreeno.com/cms/ckfinder/userfiles/files/90582249412.pdfIn PDF document text
    • https://e2imgu.ratnatelenet.com/UserFiles/file/64705727894.pdfIn PDF document text
    • http://www.rztria.ru/kcfinder/upload/files/lixeda.pdfIn PDF document text
    • https://www.denisonlandscaping.com/wp-content/plugins/formcraft/file-upload/server/content/files/16224780816abd---71538946505.pdfIn PDF document text
    • http://saaretravel.ee/images/file/jutosilujovedodivazu.pdfIn PDF document text
    • http://africalegal.nl/userfiles/file/20530927699.pdfIn PDF document text
    • http://photonart.nl/phpcmsys/file/wobawuregudufiguted.pdfIn PDF document text
    • http://arkapizzeria.com/kcfinder/upload/files/47238643613.pdfIn PDF document text
    • https://webaruhaz.codefon.hu/js/ckfinder/userfiles/files/gasubi.pdfIn PDF document text
    • https://laplacedesstores.com/upload/file/63778082382.pdfIn PDF document text
    • http://www.albertoabajolimousin.com/abm/Bibliotecas/kcfinder/upload/files/mujaxijefizixor.pdfIn PDF document text
    • http://boardmark.com/files/file/15570923516.pdfIn PDF document text
    • http://www.golfusa.be/userfiles/files/86136718966.pdfIn PDF document text
    • http://akgwealthplanner.com/crm/files/wulibigegavebinedovutu.pdfIn PDF document text
    • https://ppntassone.it/dati/upload/file/gawufev.pdfIn PDF document text
    • http://eidatlantique.antevox.fr/UserFiles/medias/89385464818.pdfIn PDF document text
    • http://karcannakliyat.com/userfiles/file/29051934359.pdfIn PDF document text
    • https://njsolarpower.com/wp-content/plugins/super-forms/uploads/php/files/4332b861ea29283b89e41efee27580ef/12455695100.pdfIn PDF document text
    • http://arbigaz.com.tr/panel/kcfinder/upload/files/85408762785.pdfIn PDF document text
    • https://venefoil.com/ckfinder/userfiles/files/naseguxomafemip.pdfIn PDF document text
    • http://www.ctnphrae.com/ckfinder/userfiles/files/worakerixoxadoxol.pdfIn PDF document text
    • https://alinea.emailingmanager.com/uploads/editor/file/gutegizigujulolemebati.pdfIn PDF document text
    • http://xn--9d0bk1sn6gncq95flql.com/user_data/kcfinder/files/68021455390.pdfIn PDF document text
    • https://hanakspotrebice.cz/eshop/ckfinder/userfiles/files/pazabekazopugezaropofo.pdfIn PDF document text
    • http://heizler.hu/files/file/36391040368.pdfIn PDF document text
    • http://www.romdom.pl/public/js/kcfinder/upload/files/sabusenudoredebaretumuza.pdfIn PDF document text
    • https://rrhh.fronteraliving.com/imagenes/contenidos/files/2033126189.pdfIn PDF document text
    • https://www.caesarstravel.com/wp-content/plugins/formcraft/file-upload/server/content/files/162132cd5b46b9---resudulalizopanoxovagepob.pdfIn PDF document text
    • https://www.jobswolf.com/app/webroot/kcfinder/upload/files/12074151128.pdfIn PDF document text
    • http://4998horo.gmmwireless.com/contents/files/kanulukaronafomativoduxu.pdfIn PDF document text
    • https://istanbularicilikfestivali.com/upload/ckfinder/files/mazezek.pdfIn PDF document text
    • http://hospitalitan.com/sites/default/files/file/37408178086.pdfIn PDF document text
    • http://saimiri.name/upload/file/nogupukorilimebafawaj.pdfIn PDF document text
    • http://www.prodomasa.com/ckfinder/userfiles/files/pofimudosabefapemujetuke.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    +3 more URL(s)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0005906d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5906D 16560 bytes
SHA-256: 924ad5cb737cfd9a34472b2046831991df4d3950e5f0d7b552a18309318c2ee9
font_01_sfnt_off0005a788.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5A788 18004 bytes
SHA-256: d2a87a5f895b83d2da6234aa884e5489172117c600ed34af2760c22570363bea
font_02_sfnt_off0005d712.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5D712 10948 bytes
SHA-256: 62b0871b7dd2b6c4488fb163b5bf18beebfc88b9b91ee0e57c2f99c22d29ac79