Malicious PDF — malware analysis report

Static analysis result for SHA-256 782bbbd568781691…

MALICIOUS

PDF

332.8 KB Created: 2022-01-25 06:34:01 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-06-16
MD5: c9e6935e3b6918d29a3e0e30b368594d SHA-1: 422e7950d89bfd416f831864b214cc50a39758e5 SHA-256: 782bbbd568781691464c279ea2d65b90fd109486370006a729fe43ade39c884b
136 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.6933

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://epoptavky.com/is/images/FCKeditor/File/gimiwolunutidozoke.pdf In PDF document text
    • http://mitsubishilongbien.vn/images/ckeditor/files/naxaxopaju.pdfIn PDF document text
    • https://datawire.gr/files/files/50933114253.pdfIn PDF document text
    • http://nanobubblevietnam.com/uploads/userfiles/file/wimawusasaziwirirogara.pdfIn PDF document text
    • https://earthchartercities.org/wp-content/plugins/formcraft/file-upload/server/content/files/1614c2d70960cd---25987520451.pdfIn PDF document text
    • http://hastensandbreakfast.nl/userfiles/file/bowuvesofefisaxefobu.pdfIn PDF document text
    • http://smartbazar.online/app/webroot/upload/files/7619009230.pdfIn PDF document text
    • http://khodahoanglang.com/admin/webroot/upload/image/files/xujelibafubime.pdfIn PDF document text
    • http://m-s-g.ru/userfiles/files/67013854762.pdfIn PDF document text
    • http://www.dilipprabhavalkar.com/images/file/13900999296.pdfIn PDF document text
    • http://xn--2-7sbddqrtdw3be6jua.xn--p1ai/userfiles/file/digaxavedopamedokovuxi.pdfIn PDF document text
    • https://kudamatsu.org/userfiles/file/11087485050.pdfIn PDF document text
    • http://idcla.net/upload/files/vumilibo.pdfIn PDF document text
    • http://3wsystems.com/shipinc/userfiles/files/70108203524.pdfIn PDF document text
    • http://jarauwerdaenzn.nl/userfiles/file/29375158394.pdfIn PDF document text
    • https://jucariicopilasi.ro/app/webroot/files/userfiles/files/jabokadimufevewetezojamu.pdfIn PDF document text
    • http://spec-so.ru/sites/default/files/file/delovasotefeb.pdfIn PDF document text
    • http://ageddfjtj.pretty-match.com/upload/files/47841104026.pdfIn PDF document text
    • http://gdlejia.com/uploadfile/files/20211030_130829.pdfIn PDF document text
    • http://kezheng.net/Upload/file/34767176984.pdfIn PDF document text
    • http://mgrima.com/files/file/49290322180.pdfIn PDF document text
    • http://easy-maker.biz/upload/files/40303615388.pdfIn PDF document text
    • https://www.campacinter.com/image/upload/File/83936817512.pdfIn PDF document text
    • http://heilpraxis-pankow.de/wp-content/plugins/formcraft/file-upload/server/content/files/161a4cbb77ca9e---mevumigimusimipef.pdfIn PDF document text
    • http://www.lnk-creation.fr/upload/file/16029914983.pdfIn PDF document text
    • http://digifast.cz/userfiles/15831757593.pdfIn PDF document text
    • http://feedproxy.google.com/~r/MbOu/~3/KGDyd8lM0uI/uplcv?utm_term=sheep+ear+headband+templatePDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0004c9ee.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4C9EE 10492 bytes
SHA-256: 48f1e0c3750a27e7b5515975ba51df07561773e976febfe8c03857d507214a11
font_01_sfnt_off0004e153.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4E153 16376 bytes
SHA-256: db852ca2637df86915bb64d2a0ca4b4979ef788ff620d29a16c3929b9af6bbe9
font_02_sfnt_off00050c32.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x50C32 16416 bytes
SHA-256: cfa2c3fbce80cc5607e01af033b793d17c57c214fb1d96e845eedea48cccd336