PDF malware analysis — malicious · 4783f2f9a80a7fd7

MALICIOUS

PDF

213.7 KB Created: 2022-02-03 06:23:41 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-06-20

MD5: 99f2251e10f7e3768945ce96f8db6e12 SHA-1: f41553a7533cb8ab05cb45768ca16353e2341192 SHA-256: 4783f2f9a80a7fd79aef416880f3ed7f0f441989d6f282d10eb5a032f2f7335a

194 Risk Score

Machine Learning

Nyx PDF Classifier malicious score 0.8150

Heuristics 8

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK

PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL

PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://lazav.co.za/XSRYdR1H?utm_term=lavadora+brastemp+ative+11kg+manual PDF link annotation
- http://www.alite.com.br/assets/kcfinder/upload/files/38330127863.pdfIn PDF document text
- https://leifs-auto.dk/images/file/mixinosodesununinemedim.pdfIn PDF document text
- http://www.adanakursmerkezi.com/wp-content/plugins/formcraft/file-upload/server/content/files/1614da2b97d6d6---jumowakukulukewe.pdfIn PDF document text
- http://air-con.ru/upload/files/mesadivu.pdfIn PDF document text
- http://okvin.org/userfiles/file/94956233904.pdfIn PDF document text
- http://elijasprojekts.lv/files/file/sirabapiragek.pdfIn PDF document text
- http://pantryscan.com/123cars/imagefck/file/94642830737.pdfIn PDF document text
- https://cometgroupinternational.com/ckeditor/ckfinder/userfiles/files/duluzejetaxijiwudadage.pdfIn PDF document text
- http://novichiha.ru/pic/file/85801801600.pdfIn PDF document text
- http://www.absolutecateringla.com/wp-content/plugins/formcraft/file-upload/server/content/files/1618e350d25038---17211340382.pdfIn PDF document text
- https://www.accidentinjurylascruces.com/wp-content/plugins/super-forms/uploads/php/files/sjg8lkcknvml1nla9rraorp46i/vawamuwugeturumokuvo.pdfIn PDF document text
- http://www.workbythai.com/admin/assets/images/kasujejusiz.pdfIn PDF document text
- https://ijpdua.com/contents/files/31677797815.pdfIn PDF document text
- http://alarmy-kamery24.pl/userfiles/file/jebarinowu.pdfIn PDF document text
- http://o2ashop.com/ckfinder/userfiles/files/42647014142.pdfIn PDF document text
- https://altstudio.be/app/webroot/uploads/file/43628650955.pdfIn PDF document text
- http://cgt-fo-csc.fr/wp-content/plugins/formcraft/file-upload/server/content/files/161d5a8979a361---ragetitoxusukukos.pdfIn PDF document text
- https://ibbfvhn.org/recursos/kcfinder/upload/files/bapulu.pdfIn PDF document text
- http://diplomat2014.ru/ckfinder/userfiles/files/5895327076.pdfIn PDF document text
- http://79.170.40.182/boothtastic.com/wp-content/plugins/formcraft/file-upload/server/content/files/1616e078c468d0---lukokilufilawi.pdfPDF link annotation
- https://netcsemege.elelmiszer-hazhozszallitas.hu/ckfinder/userfiles/files/46415655580.pdfIn PDF document text
- http://www.moteco.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160ff73b05e675---3931061608.pdfIn PDF document text
- https://andrejc.si/files/file/18566499909.pdfIn PDF document text
- https://guenangequitation.fr/www/site/js/ckfinder/userfiles/files/92865153860.pdfIn PDF document text
- https://chasselas-de-moissac.com/assets/kcfinder/upload/files/10623705645.pdfIn PDF document text
- https://resepangka.org/contents/files/jiruza.pdfIn PDF document text
- http://thecpg.org/kcfinder/upload/files/tozogapidunozafi.pdfIn PDF document text
- https://www.reparaciondebomba.com.ar/wp-content/plugins/super-forms/uploads/php/files/oabnm8umovd3vdm3f6ft5spcc1/48375142283.pdfIn PDF document text
- http://rts-3.ru/upload/files/zovuteminebezur.pdfIn PDF document text
- http://mynigaoe.com/upload/file/20220114174711.pdfIn PDF document text
- http://netpost.vn/upload/userfiles/files/gezixi.pdfIn PDF document text
- https://club-1c.kz/app/webroot/js/kcfinder/upload/files/xagobugoboliwefafupumunu.pdfIn PDF document text
- https://noddy.nu/images/file/katadevukejofemurer.pdfIn PDF document text
- http://5e10.com/file/joxixixuxiv.pdfIn PDF document text
- http://www.myhhsi.com/wp-content/plugins/super-forms/uploads/php/files/c89cc060bfc6f4ce0f924ba723e88666/xanoneduwopamotasisituro.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netReferenced by PDF JavaScript
- http://dejavu.sourceforge.net/wiki/index.php/LicenseReferenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0002e6cc.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x2E6CC	11140 bytes
SHA-256: `835553f0831e34542fee7db9a0819154b463680330a9471bdcaa54bac42c4131`
`font_01_sfnt_off0003006e.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x3006E	16560 bytes
SHA-256: `924ad5cb737cfd9a34472b2046831991df4d3950e5f0d7b552a18309318c2ee9`
`font_02_sfnt_off00031789.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x31789	18868 bytes
SHA-256: `f267734a2a09e02eee38cba4105004b5655fc7919d22e1451cb8f3933accb5e1`

Open this report in the interactive analyzer, or submit your own file for analysis.