PDF malware analysis — malicious · 425a06523cc6c9d4

MALICIOUS

PDF

374.3 KB Created: 2022-02-14 08:53:29 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-06-16

MD5: 67fbb3f5edc646b66b551e26ddb59eff SHA-1: 4e4cf4da8044d720baae45068848a07a52d0201a SHA-256: 425a06523cc6c9d4ae85aa1a85c2d231dcb20eba43899407e62e726ca12e1bc9

174 Risk Score

Machine Learning

Nyx PDF Classifier malicious score 0.6022

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK

PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://mifuj.co.za/XSRYdR1H?utm_term=tai+bau+cua+tom+ca+apk PDF link annotation
- http://piwcnorthhouston.org/admin/ckeditor/kcfinder/upload/files/51574771279.pdfIn PDF document text
- https://delta-relay.be/userfiles/file/mavavuxudebuzimutop.pdfIn PDF document text
- http://rlmlaw.com/images/edit_images/file/79921954743.pdfIn PDF document text
- http://www.a-fairys-choice.com/wp-content/plugins/formcraft/file-upload/server/content/files/161a271d83ed9b---jexefupefi.pdfIn PDF document text
- http://constantemails.com/userfiles/file/1626515414sopobudowevomet.pdfIn PDF document text
- http://eot.mn/uploads/userfiles/files/61670311012.pdfIn PDF document text
- http://gzmingjun.com/uploadfile/files/20210828_070745.pdfIn PDF document text
- http://angel-conference.org/upload_fck/file/2021-8-30/20210830045647168297.pdfIn PDF document text
- https://gloriamus.org/Uploads/userfiles/files/21147504940.pdfIn PDF document text
- https://hanakspotrebice.cz/eshop/ckfinder/userfiles/files/8987619000.pdfIn PDF document text
- https://vmkstroi.ru/wp-content/plugins/super-forms/uploads/php/files/657ad2985418730903f0b7dd08f5ed86/68725371352.pdfIn PDF document text
- https://nhanloc.net/userfiles/file/2497468200.pdfIn PDF document text
- http://msnladyboy.com/ckfinder/userfiles/files/wulufadigoriru.pdfIn PDF document text
- http://hasdeu.md/data/userfiles/files/38011053959.pdfIn PDF document text
- https://otdelkamos.ru/wp-content/plugins/super-forms/uploads/php/files/25a158f0407c783f9675db44c2218617/pojile.pdfIn PDF document text
- https://myarchitect.es/ckfinder/userfiles/files/84811889259.pdfIn PDF document text
- http://planet-for-events.de/userfiles/file/wevovitejomoraxutosu.pdfIn PDF document text
- https://vietnamairlinescorp.org/js/ckfinder/userfiles/files/megutinal.pdfIn PDF document text
- https://cam-ceeds.org/ckfinder/userfiles/files/jurumet.pdfIn PDF document text
- http://tse.net.in/assets/ckeditor/kcfinder/upload/files/26059080145.pdfIn PDF document text
- http://combatkuntao.com/ckeditor/ckfinder/userfiles/files/jukafasisekuguli.pdfIn PDF document text
- http://shinex-auto.com/userfiles/file/mabun.pdfIn PDF document text
- https://heritagelogs.com/wp-content/plugins/super-forms/uploads/php/files/2b3o55bgeemt7krpk35grcg1od/48236611126.pdfIn PDF document text
- http://fields-on-earth.com/images/blog/file/41867239022.pdfIn PDF document text
- http://pscemetery.com/userfiles/file/wodikuropinaral.pdfIn PDF document text
- http://nextgems.com/ckeditor/kcfinder/upload/files/40417862502.pdfIn PDF document text
- http://mfo-fond.ru/ckeditor/ckfinder/userfiles/Images/files/tubizegozagotarojokata.pdfIn PDF document text
- https://ekometal.com/kcfinder/upload/files/36634067530.pdfIn PDF document text
- https://www.accidentinjuryalbuquerque.com/wp-content/plugins/super-forms/uploads/php/files/5eaqio1lfb54cktnqvsthmhtr3/38409476881.pdfIn PDF document text
- https://www.grecosalesinternational.com/wp-content/plugins/formcraft/file-upload/server/content/files/1617571abb1d61---godupa.pdfIn PDF document text
- http://www.anclupnapoli.it/userfiles/file/51736738565.pdfIn PDF document text
- https://teplitsyoptom.ru/wp-content/plugins/super-forms/uploads/php/files/caac214604623faebaa4dee8831fc6b9/43983966316.pdfIn PDF document text
- http://pc580.cn/upload_fck/file/2021-9-25/20210925140008346719.pdfIn PDF document text
- http://tks-forever.com/upload/2021/08/16/file/divizifurejijibuje.pdfIn PDF document text
- http://doicoffee.co.jp/js/kcfinder/upload/files/53963394276.pdfIn PDF document text
- http://ags-sib.ru/ckfinder/userfiles/files/sevewakodumumorakison.pdfIn PDF document text
- https://namastehealth.in/wp-content/plugins/super-forms/uploads/php/files/lgejeuc5omjh9ok4u8ctc95b1p/lejozoveluvawu.pdfIn PDF document text
- https://bk.elbasyacademy.kz/vendor/admin/kcfinder/upload/files/jofigipamulikotufe.pdfIn PDF document text
- http://mindatpeace.us/uploads/files/38372950972.pdfIn PDF document text
- http://medeeatour.ro/mm/file/25158933589.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000566aa.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x566AA	20328 bytes
SHA-256: `35d9ece7fba6788d274001f8b93653acec17ffe8ec3ea60936503d4ec8323ffe`
`font_01_sfnt_off00059c3a.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x59C3A	16560 bytes
SHA-256: `924ad5cb737cfd9a34472b2046831991df4d3950e5f0d7b552a18309318c2ee9`
`font_02_sfnt_off0005b35a.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5B35A	10280 bytes
SHA-256: `de4c343dff88564cda5f6eedab2f37792e80971b8b3188d2af2c88e3ec0d8487`

Open this report in the interactive analyzer, or submit your own file for analysis.