PDF malware analysis — malicious · 478fac57c328ac50

MALICIOUS

PDF

485.6 KB Created: 2022-02-08 03:49:19 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-06-20

MD5: b83537655edd5aea2ab0b2e62e39beaa SHA-1: b82865305bd32345205d218cc9898b9dfae44e61 SHA-256: 478fac57c328ac509abada324382174c444678b2fd9e4ccc9ab4907b8a2a7f16

144 Risk Score

Machine Learning

Nyx PDF Classifier suspicious score 0.3645

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK

PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://tevav.co.za/XSRYdR1H?utm_term=theme+park+games+online+free+no PDF link annotation
- http://summithigh49.com/clients/3/33/3334069ac8a672cbece4a9536eb221cc/File/24606769609.pdfIn PDF document text
- http://wakingbeauty.com/wp-content/plugins/formcraft/file-upload/server/content/files/1617db4f7ae681---ginurijazisekufobezoxo.pdfIn PDF document text
- http://vejwun.cz/images/73204696584.pdfIn PDF document text
- https://aordonez.com/images/contenidos/files/nefoledipezojuxikakezi.pdfIn PDF document text
- http://casaledellasignora.it/userfiles/files/torelu.pdfIn PDF document text
- https://durimawar.com/contents/files/19352074247.pdfIn PDF document text
- http://abmys.org/kcfinder/upload/files/puvebumumivajikalenosuwa.pdfIn PDF document text
- http://kor-ra.ru/UserFiles/file/87783989478.pdfIn PDF document text
- http://angerdress.store/ckfinder/userfiles/files/85832431717.pdfIn PDF document text
- http://baoveantam.org/upload/files/1703458992.pdfIn PDF document text
- http://eugensa.lt/app/webroot/uploads/userfiles/files/43830526987.pdfIn PDF document text
- https://interativacorretora.com/fotosempresa/files/mibalejalebedisigipi.pdfIn PDF document text
- http://oskarmak.com/userfiles/file/63689416261.pdfIn PDF document text
- http://mofald-clpiu.gov.np/public/kcfinder/upload/files/xizowudukukidilisa.pdfIn PDF document text
- https://siyata.co.il/wp-content/plugins/formcraft/file-upload/server/content/files/161aaae1f6375a---69673086570.pdfIn PDF document text
- https://goooinggroup.com/userfiles/files/20210828_233506.pdfIn PDF document text
- https://safecampus.in/cmsCart/upload/file/82657704347.pdfIn PDF document text
- http://www.cddfct.com/up_files/file/80703374088.pdfIn PDF document text
- http://musicpark-live.de/userfiles/file/zaxasamunubuwa.pdfIn PDF document text
- https://fiscconsulting.com/userfiles/file/17696881862.pdfIn PDF document text
- http://nantong.chinatupai.com/web/js/ckfinder/userfiles/files/69168756131.pdfIn PDF document text
- http://iehyun.com/editorupload/file/pezew.pdfIn PDF document text
- https://mayphotocopydogia.com/upload/files/sozimupedox.pdfIn PDF document text
- https://minhvuongthuphap.com/upload/ck/files/zabixadepugisezarilun.pdfIn PDF document text
- http://costruzionibulagna.it/userfiles/files/55464803803.pdfIn PDF document text
- http://kingkady.com/uploadfile/files/44187417974.pdfIn PDF document text
- https://gerbangkuis.com/contents/files/joxulaw.pdfIn PDF document text
- https://macleanpinesdrivingschool.com.au/wp-content/plugins/super-forms/uploads/php/files/1f63d5fe6fd9d40f88a60c83e76429a4/ruroseseb.pdfIn PDF document text
- https://www.pmayassam.in/assets/kcfinder/upload/files/58206784487.pdfIn PDF document text
- https://chupwo.com/editor_upload/file/ximafinevewozepamopekuvir.pdfIn PDF document text
- http://namuvaldymas.lt/userfiles/file/30439215842.pdfIn PDF document text
- http://food-cloud.com/home/food-cloud/www/site//site/data/files/10241116975.pdfIn PDF document text
- http://topstec.com/d/files/84915184069.pdfIn PDF document text
- http://gmicropilotes.com/uploads/files/jamis.pdfIn PDF document text
- http://airmon.hu/images/files/56654046285.pdfIn PDF document text
- https://xuantruongtech.com/images/ckeditor/files/rexepegabitoj.pdfIn PDF document text
- http://avvolodin.ru/upload/file/ravisinududura.pdfIn PDF document text
- http://xn--80ackbssfuieecff0e8c.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/eho780nm4o4mdjiis7hd7kds66/magojugigudizepapem.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netReferenced by PDF JavaScript
- http://dejavu.sourceforge.net/wiki/index.php/LicenseReferenced by PDF JavaScript

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00070bf9.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x70BF9	7556 bytes
SHA-256: `e88b2eb7d1972a3a61e9eed2d730ba1f460392c084c8c16bf522953443aeea8a`
`font_01_sfnt_off0007264e.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7264E	10760 bytes
SHA-256: `d7e4075986d8aed3fca8c27319cabaca92a5237d4620b0d643a553524a1e8c3d`
`font_02_sfnt_off00073ecf.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x73ECF	16560 bytes
SHA-256: `924ad5cb737cfd9a34472b2046831991df4d3950e5f0d7b552a18309318c2ee9`
`font_03_sfnt_off000755ee.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x755EE	18408 bytes
SHA-256: `9d0dbe92a216df484b7a33edaf2b72becf1516af4abec2722ed0e22de9eaa77c`

Open this report in the interactive analyzer, or submit your own file for analysis.