Malicious PDF — malware analysis report

Static analysis result for SHA-256 4af9fdd46a5519a3…

MALICIOUS

PDF

84.7 KB Created: 2021-03-20 06:36:45 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-06
MD5: a4758f6d0741df835eea887a7c3b9156 SHA-1: edb0816eea9932be8c868052de7b82b796a96607 SHA-256: 4af9fdd46a5519a35e7301817c4c0e801700393ce4d9a0c6450f841efc7a0524
134 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/123?utm_term=alan+walker+lily+song++pagalworld.+com PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4496571/normal_60132ddbc9b53.pdfIn PDF document text
    • http://vkysnaya-eda.site/evaluating_linear_functions_worksheet_answer_keyq8meq.pdfIn PDF document text
    • http://50offshop.pro/91432437245pcnzu.pdfIn PDF document text
    • http://sowugadawalu.iblogger.org/50703001675.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4410020/normal_5fd63b1a3026d.pdfIn PDF document text
    • http://mscgis.net/basic_linux_commands_learnmctx7.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4449968/normal_5fc5eac4bfe61.pdfIn PDF document text
    • http://prizinsta365.site/2008_dodge_ram_1500_repair_manual5l927.pdfIn PDF document text
    • http://qlemelest.online/why_my_dryer_keeps_stoppingjekau.pdfIn PDF document text
    • http://favodokoleti.mypressonline.com/agregao_pedaggica.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4402718/normal_5fc96199e4da3.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4414849/normal_5ffefd86deb4c.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://s3.amazonaws.com/dalava/android_portable_media_player_device.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/07ab11c0-9e2d-4ea1-a654-2f4823c28764/91229169697.pdfIn PDF document text
    • http://datidalumoz.rf.gd/kajisojibive.pdfIn PDF document text
    • http://gototura.myartsonline.com/2154205237.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/abad093c-0f44-4d13-90e9-e1d0f1d0f2a5/article_31_of_the_constitution_of_the_peoples_republic_of_china.pdfIn PDF document text
    • http://fonezitugomal.rf.gd/safety_razor_kit_for_beginners.pdfIn PDF document text
    • https://s3.amazonaws.com/wavunot/sample_cfo_interview_questions_and_answers.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5b76ef03-3053-4278-8b1d-6cedc1ce0eb8/donetevawapemerovuxeziju.pdfIn PDF document text
    • http://wukevuwotud.rf.gd/1_8_aluminum_sheet_lowes.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dc7c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDC7C 5380 bytes
SHA-256: fb0ec4529f6ab5a0d2e6c7105a4fc5f6a0d9d0291ec721428bbb9a54c0f20316
font_01_sfnt_off0000eeba.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEEBA 2176 bytes
SHA-256: 84e5f7803f068f1ee6de1740275b8c94240f41e7b15088b5b9ac7b0194a81a81
font_02_sfnt_off0000f8cc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF8CC 13692 bytes
SHA-256: cc52a2d952bbde65ad213ed6f309e36ccd0f4b0c8de62cf41e1a81ff90a7f4ff
font_03_sfnt_off000121ad.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x121AD 16080 bytes
SHA-256: aba6d7228e0fcc42341ee09250d9598a413f48202077e5963e65f524ed209447
font_04_sfnt_off00013657.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13657 4324 bytes
SHA-256: 9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2