Malicious PDF — malware analysis report

Static analysis result for SHA-256 62412e7d41bac170…

MALICIOUS

PDF

380.3 KB Created: 2022-02-23 11:52:26 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-05-29
MD5: 462bc110643bf2ca8de54440ace1b019 SHA-1: 1a1e6cc5c2f339a63e3274fde3e8c35a9b965169 SHA-256: 62412e7d41bac170812f11553842bb6b560344ad0f865e65a00be20cebf27b54
166 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.5595

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yoyep.co.za/XSRYdR1H?utm_term=bark+at+the+moon+album PDF link annotation
    • http://cmcthailand.com/ckfinder/userfiles/files/30364106480.pdfIn PDF document text
    • https://coachtourbusrental.com/wp-content/plugins/formcraft/file-upload/server/content/files/1615cf77eae4b2---48775194450.pdfIn PDF document text
    • http://www.sunarmisir.com.tr/wp-content/plugins/super-forms/uploads/php/files/vegob0ipa2i4vlbef99bl9h6f5/mozagadimitaparoke.pdfIn PDF document text
    • http://zhongjiukeji.com/upload_fck/file/2021-10-9/20211009143025953586.pdfIn PDF document text
    • https://bandotrading.com/uploads/file/38380966433.pdfIn PDF document text
    • https://www.bevillelecomte.com/ckfinder/userfiles/files/40434123652.pdfIn PDF document text
    • https://kayakbranson.com/wp-content/plugins/formcraft/file-upload/server/content/files/161a0c857d1b46---1501873180.pdfIn PDF document text
    • https://kaemsp.org/upload/editor/file/bikexarepuvabudofuwifiron.pdfIn PDF document text
    • http://modulobase.com/userfiles/file/68924786241.pdfIn PDF document text
    • http://audiomaster.se/wp-content/plugins/formcraft/file-upload/server/content/files/16179e576c9918---77821414478.pdfIn PDF document text
    • http://www.nuricomuvakfi.org/wp-content/plugins/super-forms/uploads/php/files/pbb72fk68k0qf0mdqjaq7ame67/mafutuwabizijagimuzilebo.pdfIn PDF document text
    • https://ladangmimpi.com/contents/files/33334111991.pdfIn PDF document text
    • https://kopari.hu/files/file/dunasufozeraw.pdfIn PDF document text
    • http://urdu-hadith.com/survey/userfiles/files/28587588443.pdfIn PDF document text
    • http://caerulumpharma.com/upload/files/tefadugenorawafok.pdfIn PDF document text
    • http://jenan.com/ckfinder/userfiles/files/46903962732.pdfIn PDF document text
    • https://a2designbg.com/userfiles/file/24746899278.pdfIn PDF document text
    • http://dc-da27577df984.duragloss.pl/userfiles/file/ranuluvozekiwinis.pdfIn PDF document text
    • http://sattamatkapatti.com/userfiles/file/rujiwirosek.pdfIn PDF document text
    • https://sheenabusesandcoaches.com/userfiles/file/37837832434.pdfIn PDF document text
    • http://sys-svinding.dk/userfiles/file/dajebiguvedas.pdfIn PDF document text
    • https://ever-progress.dacola.com/upload/files/laxekabonabofitesi.pdfIn PDF document text
    • https://414movement.com/wp-content/plugins/super-forms/uploads/php/files/66c1b7b68d5c75e5b30a7326440c440b/18918197980.pdfIn PDF document text
    • http://djpress.pl/Image/files/57870153540.pdfIn PDF document text
    • http://elitacasa.it/images/file/nuwabikapisejeve.pdfIn PDF document text
    • http://permagnet.com/upload_files/file/211102002250088147f90psg.pdfIn PDF document text
    • http://moderncarrent.com/user_img/files/sutoleguzulofutu.pdfIn PDF document text
    • https://www.giromarilia.com.br/plugins/kcfinder/upload/files/20886756915.pdfIn PDF document text
    • http://rayocazar.com/images/elfinder-1.1/files/file/94620974272.pdfIn PDF document text
    • https://contact-house.com/fckeditor/upload/file/75535498398.pdfIn PDF document text
    • https://www.utn.ac.cr/sites/default/files/files/xojotesinewesixekemuw.pdfIn PDF document text
    • https://guptajimarriagebureau.com/userfiles/file/76615015437.pdfIn PDF document text
    • https://cristalensi.com/public/File/54322090512.pdfIn PDF document text
    • http://jar-ted.pl/file/20436040267.pdfIn PDF document text
    • https://unique.global/wp-content/plugins/super-forms/uploads/php/files/38ea149b26f36dcc9c79a5e7f0915a1a/58612651571.pdfIn PDF document text
    • http://terfigyelokamera.info/files/file/figapab.pdfIn PDF document text
    • http://www.golfusa.be/userfiles/files/97792091432.pdfIn PDF document text
    • https://360clothing.in/home/www360cl/public_html/uploads/images/files/dawajiwivadasin.pdfIn PDF document text
    • https://cmf8.ir/data/file/70183877106.pdfIn PDF document text
    • http://gxzepu.com/userfiles/file/76947678801.pdfIn PDF document text
    • https://cashofferoregon.com/wp-content/plugins/formcraft/file-upload/server/content/files/1618b82344b45f---luborekuzokoniduzuw.pdfIn PDF document text
    • https://toananhmedical.com/uploads/files/xamuk.pdfIn PDF document text
    • http://akcompany.vn/uploads/userfiles/file/nilanitilerotenadeloler.pdfIn PDF document text
    • https://sklepbonus.eu/userfiles/file/xugefipilaf.pdfIn PDF document text
    • http://www.facyt.com.ar/ckfinder/userfiles/files/92217586464.pdfIn PDF document text
    • http://zaintik.org/files/galeria/files/zapesojuseguxotagigunube.pdfIn PDF document text
    • http://www.senioradviserab.se/admin/kcfinder/upload/files/peliwexekugebajabusoj.pdfIn PDF document text
    • http://liavanhaeringen.nl/userfiles/files/39435012787.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    +7 more URL(s)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00057c90.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x57C90 10496 bytes
SHA-256: a6d09bad024ed8d9cc4eb35c2b785f4f4660c56de07a0205c6aec3c79bffdba3
font_01_sfnt_off00059448.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x59448 16560 bytes
SHA-256: 924ad5cb737cfd9a34472b2046831991df4d3950e5f0d7b552a18309318c2ee9
font_02_sfnt_off0005ab65.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5AB65 19960 bytes
SHA-256: 123c07bdb22a088860cf74ce25e305fe177bf6533ea564181be40cbb043237af