Malicious PDF — malware analysis report

Static analysis result for SHA-256 478ef7349dbe4d48…

MALICIOUS

PDF

333.5 KB Created: 2022-03-07 21:02:15 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-06-20
MD5: 6971ad894466c9f58111c9022dcb6ed9 SHA-1: 18742b857081f84e534d408c0e627d55821113ea SHA-256: 478ef7349dbe4d48abf1c547cae61a4d3f165863b5e00548d1e46d71f86a8a32
144 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.5565

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mifuj.co.za/XSRYdR1H?utm_term=eliminar+hormigas+de+forma+natural PDF link annotation
    • http://viacaosaopedro.com/www/js/ckfinder/userfiles/files/90310735905.pdfIn PDF document text
    • http://theonejsc.com/userfiles/file/tegofowaruzefipetezowabux.pdfIn PDF document text
    • http://katela.net/userData/board/file/woxafagigudodijokikevewot.pdfIn PDF document text
    • https://tekartltd.com/upload/files/87708642657.pdfIn PDF document text
    • https://www.taxiserviceh24.com/wp-content/plugins/formcraft/file-upload/server/content/files/1621f35c36e56a---dawefulezotopewera.pdfIn PDF document text
    • http://saikunghouse.hk/userfiles/gasujemofakax.pdfIn PDF document text
    • https://www.verimevzabavu.cz/ckfinder/userfiles/files/62426078845.pdfIn PDF document text
    • http://gsprojekt.eu/userfiles/files/81628299036.pdfIn PDF document text
    • https://hattshopping.com/admin/assets/images/ckfiles/zokoseletoriguz.pdfIn PDF document text
    • http://tcpartners.vn/kcfinder/upload/files/xanisevelebozebuboz.pdfIn PDF document text
    • http://sergeybazarov.ru/file/6048641594.pdfIn PDF document text
    • http://srtcivilnorth.com/ckeditor_file/files/19707774695.pdfIn PDF document text
    • https://hankilfood.com/userfiles/file/20220307095032.pdfIn PDF document text
    • http://deborahkay.com/ckfinder/userfiles/files/turejuluxemakexexu.pdfIn PDF document text
    • https://residencialconilcosta.es/kcfinder/upload/images/files/58054294176.pdfIn PDF document text
    • http://villalapinetafavignana.it/userfiles/files/valevosovevuzeka.pdfIn PDF document text
    • https://metaviaggi.it/userfiles/file/papifafefubepadu.pdfIn PDF document text
    • https://igmof.com/admin/js/kcfinder/upload/web_file_ig_1/files/38248733472.pdfIn PDF document text
    • https://ddtoyz.com/ckfinder/userfiles/files/28172859261.pdfIn PDF document text
    • https://esterkins.de/ckfinder/userfiles/files/88719284725.pdfIn PDF document text
    • https://www.datacom.com.br/assets/admin/ckeditor/kcfinder/upload/files/tajunagexatupaka.pdfIn PDF document text
    • http://www.fondazionepolis.it/blog/ckeditor_fullcolor/kcfinder/upload/files/jaborarazaguwumixak.pdfIn PDF document text
    • http://medrea.ru/upload/files/18085328531.pdfIn PDF document text
    • http://ildong.org/sa_upload/userfiles/file/20220222152720.pdfIn PDF document text
    • https://h16hr15k-h19hr37urn.com/contents/files/rurimepavapaxafajifur.pdfIn PDF document text
    • http://classicalgardenornaments.com/uplds/file/wakakobejubakuge.pdfIn PDF document text
    • http://humanprojekt.lenti.hu/feltoltes/files/zofiwitifuxitosobekanines.pdfIn PDF document text
    • http://www.snhram.ru/kcfinder/upload/files/beturaribobuwiduxi.pdfIn PDF document text
    • http://eepr.cz/upload/files/wakubanudomipukorugawodeg.pdfIn PDF document text
    • http://worldnaturalfood.com/image/upload/File/39332593880.pdfIn PDF document text
    • https://wentworthre.com/wp-content/plugins/super-forms/uploads/php/files/47b4dde9d6454b4ab265b4de4b460c3f/gawavekaweruwot.pdfIn PDF document text
    • http://friulanamarmi.it/images/file/91377303893.pdfIn PDF document text
    • https://gertiesbloomers.com/kousumi/nulook/upload/fckimages/file/82334964467.pdfIn PDF document text
    • https://wegofa.com/userfiles/file/92828474352.pdfIn PDF document text
    • https://www.vyrobadps.eu/admin/kcfinder/upload/files/76342675584.pdfIn PDF document text
    • https://funstore.dialog.org/userfiles/file/patipawifibis.pdfIn PDF document text
    • https://duragloss.pl/userfiles/file/gojiwufitipajeraw.pdfIn PDF document text
    • http://chiengthai.com/file_media/file_image/file/delugifanewibigetebuleta.pdfIn PDF document text
    • https://celovechurch.org/wp-content/plugins/super-forms/uploads/php/files/8133aac0b5e4d6471135cf5729aed9db/12087653472.pdfIn PDF document text
    • http://profitoolinfo.ru/ckfinder/userfiles/files/52825877510.pdfIn PDF document text
    • http://rideabikenews.com/user_img/files/lurekixegupoxaputoxe.pdfIn PDF document text
    • https://414movement.com/wp-content/plugins/super-forms/uploads/php/files/e997378fcf9c2e65e227ca46e521a8ef/weteforurovowopugepoz.pdfIn PDF document text
    • http://www.barczyk.plwww.sgpm.krakow.pl/aanewsysn/kcfinder/upload/files/belavofineguxib.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    +2 more URL(s)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0004c46e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4C46E 10884 bytes
SHA-256: af43d2b158a8cd1b51b0f5f257d7b21ed2ef7ce462815fa74437fe8acfcfdb30
font_01_sfnt_off0004dd23.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4DD23 19180 bytes
SHA-256: 3dbd3089da3d2d48c8dd0cd5104c9e215997953287a5e6feb9dc4e98afac28bc
font_02_sfnt_off00050e8a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x50E8A 16560 bytes
SHA-256: 924ad5cb737cfd9a34472b2046831991df4d3950e5f0d7b552a18309318c2ee9

Open this report in the interactive analyzer, or submit your own file for analysis.