Malicious PDF — malware analysis report

Static analysis result for SHA-256 4785ee542f0ab5d7…

MALICIOUS

PDF

325.5 KB Created: 2022-03-11 07:33:18 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-06-20
MD5: c4ef5a7a753b4a0af99d59c5db939bd6 SHA-1: 6d9f0a19358e0ebf281fad3bda8619bff8c9a673 SHA-256: 4785ee542f0ab5d7d4d9d07c9e3d77b32005f8aaade883e8b776839be33c60ee
174 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.6641

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://tevav.co.za/XSRYdR1H?utm_term=dandies+crossword+answer PDF link annotation
    • http://vkp.ru/upload/global/file/gudun.pdfIn PDF document text
    • https://unitedpetexpress.unitedreloth.com/ckfinder/userfiles/files/88350040864.pdfIn PDF document text
    • https://gicz.jp/uploads/kc-uploads/tmp/files/lixemode.pdfIn PDF document text
    • http://webminmax.com/userfiles/file/25953688062.pdfIn PDF document text
    • http://aallergy.friend-match.com/upload/files/xowelerabiko.pdfIn PDF document text
    • http://botan-koubou.com/js/kcfinder/upload/files/48226053514.pdfIn PDF document text
    • https://yourtuscanyguide.com/wp-content/plugins/super-forms/uploads/php/files/q890nuhe24r8p5tp77d80661b2/vubababi.pdfIn PDF document text
    • http://www.belladermeestetica.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16224083ac591b---91762505038.pdfIn PDF document text
    • https://inverpalmas.com/aym_image/files/pukapawadew.pdfIn PDF document text
    • http://quimis.net/js/ckfinder/userfiles/files/xalelokudodiviximara.pdfIn PDF document text
    • https://objednavky.dortovapohotovost.cz/obrazky/files/zugafadexukufabu.pdfIn PDF document text
    • http://potolokomsk.ru/ckeditor/kcfinder/upload/files/funusifepujufemepos.pdfIn PDF document text
    • https://growlocals.com/wp-content/plugins/super-forms/uploads/php/files/ff4297490046b0f082fc90ba02d072b8/zerimusurubozifuxuv.pdfIn PDF document text
    • https://www.iccis20.scrs.in/kcfinder/upload/files/somejak.pdfIn PDF document text
    • http://freemansphotography.com/wp-content/plugins/formcraft/file-upload/server/content/files/1621bf0c49f3c4---364700833.pdfIn PDF document text
    • http://bjhtdszdh.com/v15/Upload/file/20222222320249442.pdfIn PDF document text
    • https://paixaodecristopi.cinemadossertoes.com/kcfinder/files/guxamajesunakutar.pdfIn PDF document text
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/161ff71dae9a71---piverono.pdfIn PDF document text
    • https://asfus.net/virgsurv/userfiles/file/49445251804.pdfIn PDF document text
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/16211141ac4017---saranoxuxokowujus.pdfIn PDF document text
    • http://kledingindex.nl/images/uploads/xarorajaxof.pdfIn PDF document text
    • https://eminencesolutions.in/resources/userfiles/file/wuduzi.pdfIn PDF document text
    • http://www.americandartsmadrid.com/kcfinder/upload/files/depogabumikeno.pdfIn PDF document text
    • http://balade-pierry.fr/userfiles/file/nuborutererite.pdfIn PDF document text
    • http://www.meditt.com/wp-content/plugins/super-forms/uploads/php/files/li0po75fii7alu7026miteee4d/mewozazosubisakidi.pdfIn PDF document text
    • http://gmpardis.dga.gr/ILC/img/file/44468278963.pdfIn PDF document text
    • http://boardmark.com/files/file/12896910252.pdfIn PDF document text
    • https://yjade.nl/userfiles/file/23152168830.pdfIn PDF document text
    • http://angelascanu.it/uploads/file/dikuvez.pdfIn PDF document text
    • http://lotusromeo.fr/app/webroot/files/userfiles/files/nobapapisuwe.pdfIn PDF document text
    • https://macleanpinesdrivingschool.com.au/wp-content/plugins/super-forms/uploads/php/files/cf3916904cb94ceb807215c3030addef/xadudawur.pdfIn PDF document text
    • https://livnica-metalurg.com/images/pages/file/50400881831.pdfIn PDF document text
    • https://dancleland.com/img/upload/file/bonilimo.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netReferenced by PDF JavaScript
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseReferenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0004a663.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4A663 18968 bytes
SHA-256: 569c49d270940d96a2b281a27c40666bdbf46ac19d686674cae217d4dc10de33
font_01_sfnt_off0004d788.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4D788 16560 bytes
SHA-256: 924ad5cb737cfd9a34472b2046831991df4d3950e5f0d7b552a18309318c2ee9
font_02_sfnt_off0004eea8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4EEA8 10304 bytes
SHA-256: 59737c9acb5ddd5c6fee8524a9c3ecdd914029b0e14588af4ef7c1ae97bd6379

Open this report in the interactive analyzer, or submit your own file for analysis.