Malicious PDF — malware analysis report

Static analysis result for SHA-256 47848f3b55e256c0…

MALICIOUS

PDF

187.0 KB Created: 2022-02-05 08:02:49 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-06-20
MD5: 271568294639a7bfaeabf36d85ae7967 SHA-1: 0fd67e04e47055ea5a0707d6d4b617c900099982 SHA-256: 47848f3b55e256c02898ae0e89c15a21c066fa7a7eac279fbdfa66d79fb18d78
156 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.7669

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://tevav.co.za/XSRYdR1H?utm_term=bpp+acca+f1+study+text+pdf+2017 PDF link annotation
    • https://shreenatharcade.com/userfiles/file/topibageze.pdfIn PDF document text
    • http://asalsold.com/wp-content/plugins/formcraft/file-upload/server/content/files/161d248e30a499---xenivinob.pdfIn PDF document text
    • https://infotechloyalty.com/bot/ckfinder/uf/files/gewoxopegejewubugum.pdfIn PDF document text
    • https://wasserentkalkung.at/ckfinder/userfiles/files/zazulipilonuzufavi.pdfIn PDF document text
    • https://tucsonhomewindowtint.com/wp-content/plugins/super-forms/uploads/php/files/b5501e26d0bbe3c46351849066ce1441/zilarivuragemu.pdfIn PDF document text
    • http://www.oschouston.com/osc/wp-content/plugins/formcraft/file-upload/server/content/files/161005fb07ee07---remafudomixajepowagibo.pdfIn PDF document text
    • http://elmakoleji.k12.tr/public/kcfinder/upload/files/83838217376.pdfIn PDF document text
    • http://hanbangrd.com/userfiles/file/20210730025937_428122297.pdfIn PDF document text
    • http://drzwiukryte.pl/userfiles/file/rogabelosodefoz.pdfIn PDF document text
    • http://odnoklassniki-files.ru/images/uploads/files/92685065416.pdfIn PDF document text
    • http://buffagiuseppeinfissi.com/userfiles/files/sajizekoziviv.pdfIn PDF document text
    • https://hoppe.dk/files/89274658325.pdfIn PDF document text
    • http://k9careclinic.in/ckeditor/ckfinder/userfiles/files/22478921051.pdfIn PDF document text
    • https://5points.com.ng/5points-admin/kcfinder/upload/files/85528132373.pdfIn PDF document text
    • https://enville.com/wp-content/plugins/formcraft/file-upload/server/content/files/160f77f12e6cf2---rikebaviziluzafolebusu.pdfIn PDF document text
    • https://kozmetikadunakeszi.hu/userfiles/file/pikibabedoja.pdfIn PDF document text
    • http://skaltius.sztps.sk/user_files/files/liladilovidivisupetuk.pdfIn PDF document text
    • https://seedomoretravel.com/files/files/kuxibumojelag.pdfIn PDF document text
    • http://biafrapol.pl/pliki/file/budakixinademojozetejalo.pdfIn PDF document text
    • http://elesi.eu/fichiers/files/tizonesenixenubuma.pdfIn PDF document text
    • http://plenar.hr/wp-content/plugins/formcraft/file-upload/server/content/files/1612ba74a784d2---fanika.pdfIn PDF document text
    • https://www.orthovision-lublin.pl/ckfinder/userfiles/files/45402102479.pdfIn PDF document text
    • https://amatnieks.com/pictures/image/sigogopuno.pdfIn PDF document text
    • http://autokolcsonzoszolnok.hu/admin/fck_upload/file/86562375316.pdfIn PDF document text
    • http://www.bauernmusikkapelle-stjohann.at/CMS/ckeditor/kcfinder/upload/files/76534611251.pdfIn PDF document text
    • https://lokmangal.co.in/wp-content/plugins/super-forms/uploads/php/files/a6b925b24d945fd17c02947961e4d188/53284482029.pdfIn PDF document text
    • http://shiksha24.com/userfiles/files/25125387728.pdfIn PDF document text
    • http://hermanosgolbano.com/admin/fckeditor/editor/filemanager/connectors/phpfile/5925081308.pdfIn PDF document text
    • http://locnuocvietmy.com/Images_upload/files/pizigera.pdfIn PDF document text
    • https://ta-taiwan.com/app/webroot/userfiles/files/mabog.pdfIn PDF document text
    • http://simpelms.nl/userfiles/files/kivijofusiwolufamibez.pdfIn PDF document text
    • http://eugensa.lt/app/webroot/uploads/userfiles/files/75249030054.pdfIn PDF document text
    • http://deltools.com/userfiles/file/vikezagobedusezemaruni.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00027319.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x27319 27376 bytes
SHA-256: ff64b2101d40f3babc5c7cf81726a05ec2106461b2e4d37eac2c5388f2cbfa42
font_01_sfnt_off0002a9d0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2A9D0 10864 bytes
SHA-256: 631c27bafa079720751bb3c34e65a7766a1794a64bb6fdf398825f51c68246a1
font_02_sfnt_off0002c35c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2C35C 16560 bytes
SHA-256: 924ad5cb737cfd9a34472b2046831991df4d3950e5f0d7b552a18309318c2ee9