Malicious PDF — malware analysis report

Static analysis result for SHA-256 445ea53a7fd3cfc1…

MALICIOUS

PDF

485.3 KB Created: 2024-03-02 09:52:49 Authoring application: PDFBox First seen: 2026-06-07
MD5: 01d7cb5696c00145bf570046b4014ed1 SHA-1: 916b53536708ac28f92494cf5c3b69dac23e3a9f SHA-256: 445ea53a7fd3cfc1c602180f95b0982655c143632cbc34497a20dcaad6d032dc
154 Risk Score

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4694

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://haberinpusulasi.com/advertising.php?r=2&l=https://ohiotech.edu/sites/all/libraries/fckeditor/editor/filemanager/browser/default/browser.html?Connector=https://weratemesuso.supremainmobiliaria.com/f/38115 In PDF document text
    • https://www.fachportal-hochbegabung.de/api/ltout/?lt=https://vlab.amrita.edu/fckeditor/editor/filemanager/browser/default/browser.html?Connector=https://luwesapujubi.mytickethomeband.com/f/74271&T=1In PDF document text
    • http://www.phoxim.de/bannerad/adclick.php?banner_id=250&campaign_id=2&max_click_activate=0&placement_id=3&banner_url=https://www.africa.upenn.edu/sites/all/libraries/fckeditor/editor/filemanager/browser/default/browser.html?Connector=https://naloto.thiranmanamalai.com/f/61262In PDF document text
    • https://www.art-ivf.ru/bitrix/rk.php?goto=https://uploads-ssl.webflow.com/66000405e2ebce24aaf95f34/6633834dfdfd534bab451763_62588257181.pdfIn PDF document text
    • http://xxxpicsarchive.com/view.php?c=2&n=-9&e=0&g=2&r=-605655&u=https://lagolfclubs.com/fckeditor/editor/filemanager/browser/default/browser.html?Connector=https://lozefom.manabi-subete.com/f/814828092In PDF document text
    • https://mypornvideos.net/xxx.php?link=video-bookmark&skip_sell=true&url=https://grail.stanford.edu/sites/all/modules/fckeditor/fckeditor/editor/filemanager/browser/default/browser.html?Connector=https://kuvobazedobez.thiranmanamalai.com/f/74941In PDF document text
    • https://203.nicosfly.net/clic.php?adresse=https://theater.ucsc.edu/sites/all/libraries/fckeditor/editor/filemanager/browser/default/browser.html?Connector=https://vakegefagatati.gfxtoolkit.com/f/7649242&id=152In PDF document text
    • http://m.china618.com/?mod=open&id=70355&url=https://assets.website-files.com/65f00cf02d5b123d8be49f01/6633849cc19290520dcbb295_21910483012.pdfIn PDF document text
    • https://norwegianafterskiteam.com/gbook/go.php?url=https://artgallery.umd.edu/sites/all/libraries/fckeditor/editor/filemanager/browser/default/browser.html?Connector=https://vofosaborano.gmcalaya.com/f/69995In PDF document text
    • http://raovatomelbourne.com/chuyen-trang-url/https://uploads-ssl.webflow.com/6600314ca7370d500b25a907/6633841081e9d26816a3b50a_fegusunolosapu.pdfIn PDF document text
    • http://transrealauto.ru/bitrix/redirect.php?event1=click_to_call&event2=&event3=&goto=https://uploads-ssl.webflow.com/65e888862b6a0fdeea34f135/6633849b06ba129b19f63d5b_90075903.pdfIn PDF document text
    • https://ingrosmart.it/https://www.paine.edu/html/js/editor/fckeditor/editor/filemanager/browser/default/browser.html?Connector=https://xuzuguda.salvaralbucardo.com/f/829555854In PDF document text
    • https://www.visitspringlake.com/?id=54&aid=&cid=&move_to=https://nd-furniture.com/includes/fckeditor/editor/filemanager/browser/default/browser.html?Connector=https://vaduribelofojif.palsaikbbq.com/f/76287In PDF document text
    • https://www.netzwerk-kinderrechte.ch/newsletter/countlinks.php?uri=https://uploads-ssl.webflow.com/65f00cf02d5b123d8be49f01/6633848c802a8ba6635b86a4_difebuwe.pdf&nid=15&did=In PDF document text
    • http://www.ecejoin.com/link.php?url=https://accessbcc.bristolcc.edu/html/js/editor/fckeditor/editor/filemanager/browser/default/browser.html?Connector=https://lubinidetu.palsaikbbq.com/f/89691432In PDF document text
    • https://www.ifuck.tv/xxx.php?link=video-bookmark&skip_sell=true&url=https://iconnect.mwcc.edu/html/js/editor/fckeditor/editor/filemanager/browser/default/browser.html?Connector=https://femakelojegu.supremainmobiliaria.com/f/33548472In PDF document text
    • https://www.xn--amazon-fllartikel-92b.de/go?url=https://www.ubalt.edu/cfide/scripts/ajax/fckeditor/editor/filemanager/browser/default/browser.html?Connector=https://bojid.supremainmobiliaria.com/f/24466In PDF document text
    • http://www.sex-jahoda.cz/sex-porno-galerie.php?id=4204&url=https://uploads-ssl.webflow.com/65f00b0d700897a29c3f4bab/66338456d9c5e71a0ecd7d70_21034361701.pdfIn PDF document text
    • http://www.gmwebsite.com/web/redirect.asp?url=https://arch.rice.edu/sites/all/libraries/fckeditor/editor/filemanager/browser/default/browser.html?Connector=https://tovove.skyangelus.com/f/95246608In PDF document text
    • http://gringod.com/?wptouch_switch=desktop&redirect=https://archive.gfjc.fiu.edu/fckeditor/editor/filemanager/browser/default/browser.html?Connector=https://taxogawum.gmcalaya.com/f/86840735In PDF document text
    • https://toolservis.ru/bitrix/redirect.php?goto=https://uploads-ssl.webflow.com/65e888862b6a0fdeea34f135/663384c76689fab66287cb60_36067454892.pdfIn PDF document text
    • http://igenplan.ru/bitrix/rk.php?id=17&site_id=s1&event1=banner&event2=click&goto=https://5.imimg.com/data5/SELLER/Doc/2024/5/415418732/WF/ER/MN/221250778/bfac7d5d-ab5f-4d17-b57f-541faa6f4c88.pdfIn PDF document text
    • https://sexmilfmom.com/go.php?url=https://assets.website-files.com/65f04bbf96f965d47ef70e76/663384b01bd0595e1bf5aa72_95292939952.pdfIn PDF document text
    • https://www.hospicepalliativecaretoday.com/redirect?u=0&b=778&n=20231221&r=https://mypima-stage.pima.edu/html/js/editor/fckeditor/editor/filemanager/browser/default/browser.html?Connector=https://wazati.gfxtoolkit.com/f/820953390In PDF document text
    • https://refer.techniblogic.com/?go=https://my.de.marist.edu/html/js/editor/fckeditor/editor/filemanager/browser/default/browser.html?Connector=https://vigelopevevax.ibcphoenix.com/f/15575&hl=enIn PDF document text
    • https://myboard.com.ua/go/?url=https://connect.cuchicago.edu/html/js/editor/fckeditor/editor/filemanager/browser/default/browser.html?Connector=https://xunugesuf.skyangelus.com/f/72303In PDF document text
    • https://talkfootball.co.uk/home/goto?l=https://assets.website-files.com/65dcada20a4b70d56961f91b/6633843cd99de034b40de997_velute.pdfIn PDF document text
    • http://o2mailing.arakis.cz/emailing/logindex.php?kampId=5900&odkazId=39489&userId=6434&redirect=https://uploads-ssl.webflow.com/66000be9e9c8c821344dacc3/66338348c5d920472e142440_33524516253.pdfIn PDF document text
    • http://www.blackshemalecum.net/cgi-bin/atx/out.cgi?id=122&trade=https://softwarestore.psu.edu/cfide/scripts/ajax/fckeditor/editor/filemanager/browser/default/browser.html?Connector=https://maranumi.supremainmobiliaria.com/f/8810In PDF document text
    • http://www.darklyabsurd.com/guestbook/go.php?url=https://my.canisius.edu/html/js/editor/fckeditor/editor/filemanager/browser/default/browser.html?Connector=https://ferisiranogi.gmcalaya.com/f/91921In PDF document text
    • https://virtualpropaneexpo.com/linkresponse?element=sliderimage1&bannerName=14043&url=https://assets.website-files.com/65ffce60af755ba8f6ba7e7e/663383c6e1fd9428548bc4da_poxaraseb.pdfIn PDF document text
    • https://sesar.registercentrum.se/download?fileUrl=https://findadoc.uhmc.sunysb.edu/cfide/scripts/ajax/fckeditor/editor/filemanager/browser/default/browser.html?Connector=https://nipugepixejunaz.salvaralbucardo.com/f/1938In PDF document text
    • http://www.priguanajuato.org.mx/SaladePrensa/visita.aspx?y=26254&z=https://assets.website-files.com/66000405e2ebce24aaf95f34/6633838aef30cd99de0139d2_47186047071.pdfIn PDF document text
    • https://xfenix.ru/rpc/redirect/?where=https://themis.asu.edu/sites/all/libraries/fckeditor/editor/filemanager/browser/default/browser.html?Connector=https://furerox.sentineltr.com/f/15538398In PDF document text
    • https://usman.shahab.pk/link.php?url=https://ohiotech.edu/sites/all/libraries/fckeditor/editor/filemanager/browser/default/browser.html?Connector=https://jalokobidun.gmcalaya.com/f/54465431In PDF document text
    • https://link.pie-recruitment.com/api/redirect.me?track=000000&url=https://noithatbaby.com/fckeditor/editor/filemanager/browser/default/browser.html?Connector=https://vinitomofufi.palsaikbbq.com/f/93105In PDF document text
    • http://meridianbt.ro/gbook/go.php?url=https://activity.scar.gmu.edu/sites/all/modules/fckeditor/fckeditor/editor/filemanager/browser/default/browser.html?Connector=https://domebono.sharynideas.com/f/956882870In PDF document text
    • https://vc-elite.ch/?id=11&portlet_banner_id=36&href=https://jmars.asu.edu/sites/all/libraries/fckeditor/editor/filemanager/browser/default/browser.html?Connector=https://zexesav.mytickethomeband.com/f/78693In PDF document text
    • http://zakkasearch.com/cgi-bin/zakka/ps_search.cgi?act=jump&access=1&url=https://softwarestore.psu.edu/cfide/scripts/ajax/fckeditor/editor/filemanager/browser/default/browser.html?Connector=https://zimevarolowo.supremainmobiliaria.com/f/9599In PDF document text
    • http://res35.ru/links.php?go=https://myconnect.waynesburg.edu/html/js/editor/fckeditor/editor/filemanager/browser/default/browser.html?Connector=https://tudewa.sentineltr.com/f/55028126In PDF document text
    • https://customer.loyaltypath.com/StoreWebsite.aspx?sid=wknKN7j6lPI=&ws=https://nicheipo.com/admin/fckeditor/editor/filemanager/browser/default/browser.html?Connector=https://vawasij.mytickethomeband.com/f/63456&seid=Gz7ape2judNCcGvgnOv2kA==In PDF document text
    • https://www.en-mart.com/go.php?url=https://bscintra.buffalostate.edu/fckeditor/editor/filemanager/browser/default/browser.html?Connector=https://roxogabudinaz.gmcalaya.com/f/49614611In PDF document text
    • http://www.wacuumairs.hu/counter.php?url=banner_snkrz&gotourl=https://uploads-ssl.webflow.com/6600191d2a32edee7a12a143/663384f7bab04dec12229a43_5052053472.pdfIn PDF document text
    • http://s-b.ru/bitrix/redirect.php?goto=https://uploads-ssl.webflow.com/65ffce60af755ba8f6ba7e7e/663383865c4b670fbc6b4975_razinufebelokafavuvixal.pdfIn PDF document text
    • http://www.pandanet.co.jp/r?url=https://pantherpub.com/admin/fckeditor/editor/filemanager/browser/default/browser.html?Connector=https://xefilitegox.ibcphoenix.com/f/320234405In PDF document text
    • https://data.tomatos.co.kr/Data/AdClickData?companyCode=A1000002&userid=sssng6&seq=23&returnUrl=https://remaxsolidgold.biz/cfide/scripts/ajax/fckeditor/editor/filemanager/browser/default/browser.html?Connector=https://pigub.thiranmanamalai.com/f/31507In PDF document text
    • https://vlutters.nl/https://uploads-ssl.webflow.com/6600191d2a32edee7a12a143/663384b0846825e204267d57_17371484478.pdfIn PDF document text
    • https://afyongazete.com.tr/advertising.php?r=9&l=https://ronnmunsterman.com/wysiwyg/fckeditor/editor/filemanager/browser/default/browser.html?Connector=https://gugogupazozida.thiranmanamalai.com/f/8260In PDF document text
    • http://wacf.com.au/?wptouch_switch=mobile&redirect=https://uploads-ssl.webflow.com/65dcc39f31a0257a5ea6c960/66338385ad3c081ba6c9eb60_5179454430.pdfIn PDF document text
    • https://nizhny-novgorod.bankiclub.ru/redirect.php?url=https://myportal.lakelandcc.edu/html/js/editor/fckeditor/editor/filemanager/browser/default/browser.html?Connector=https://dizugetemokini.salvaralbucardo.com/f/99281In PDF document text
    +16 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000730c6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x730C6 12668 bytes
SHA-256: 593372d5afc9fd6e84d2f88bd2002a692cd0a27283689c9a9508a7d3bce95168
font_01_sfnt_off00074fb6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x74FB6 18400 bytes
SHA-256: 8a35d4deaf61d7d45225f2f5f69355e583b063ef28da442a2d111cf2e575ae1d

Open this report in the interactive analyzer, or submit your own file for analysis.