Malicious PDF — malware analysis report

Static analysis result for SHA-256 7930767ac51facc2…

MALICIOUS

PDF

383.7 KB Created: 2021-12-16 19:14:18 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-06-15
MD5: 795003918a7c772650bd8db441282c16 SHA-1: b3d0764b584b12f7e0a8c0542ac598a9e78fabfb SHA-256: 7930767ac51facc25c7e56f0505831807f8f855a280363b6f4215d6453b0567d
166 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.7525

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mamproducciones.es/wp-content/plugins/formcraft/file-upload/server/content/files/16151ab6e7b6b7---80766000843.pdf In PDF document text
    • https://cryptoshift.be/anaeter_capital/siteadmin/userfiles/files/16289914202.pdfIn PDF document text
    • http://karinameal.com/imgdish/files/85753134600.pdfIn PDF document text
    • https://vanchuyensahara.com/site/files/96366059039.pdfIn PDF document text
    • http://cy2hand.com/userfiles/fopovezavawumen.pdfIn PDF document text
    • http://zoncmswebsitebeheer.nl/files/editor/file/xevisamemexabo.pdfIn PDF document text
    • https://netshopnepal.com/userfiles/file/xozuzutegexulokilaw.pdfIn PDF document text
    • http://businessplan-capalpha.eu/mbp/upload/images/images/upload/ckfinder/3838920183.pdfIn PDF document text
    • http://soeurs-scjboran.fr/soeurs/upload/files/jujajowufinefutog.pdfIn PDF document text
    • http://mlight.cz/archiv/file/bizufapurejekas.pdfIn PDF document text
    • https://www.campacinter.com/image/upload/File/dilinerekekenepixizoj.pdfIn PDF document text
    • https://melnikhouse.com/userfiles/file/17555009601.pdfIn PDF document text
    • http://sushigonewildtogo.com/uploads/files/35875027259.pdfIn PDF document text
    • http://usaoxin.com/userfiles/2021-10/file/wurogedezak.pdfIn PDF document text
    • http://takramaipai.com/mypicture/file/48919021440.pdfIn PDF document text
    • https://adiwirawanbali.com/wp-content/plugins/super-forms/uploads/php/files/2b8c1ebaf64ff1e2d1b0349d120239cc/81876095186.pdfIn PDF document text
    • http://edu-soft.ru/site/htmlimages/file/tituwurado.pdfIn PDF document text
    • https://adci.vn/data/upload/file/pezoma.pdfIn PDF document text
    • http://mhfmjournal.com/data/22/2/55/64/2544879/user/2788947/htdocs/userfiles/file/kejud.pdfIn PDF document text
    • http://kientam.info/uploads/userfiles/file/39554084489.pdfIn PDF document text
    • http://www.birapart.com/wp-content/plugins/formcraft/file-upload/server/content/files/1617b8d9673e0c---50713333446.pdfIn PDF document text
    • https://muratay.nl/userfiles/file/51492514041.pdfIn PDF document text
    • http://feedproxy.google.com/~r/MbOu/~3/RC0zOYPQW8A/uplcv?utm_term=what+are+the+different+types+of+covid+testsPDF link annotation
    • http://zs.tom.ru/jsplugins/ckfinder/userfiles/files/lulixi.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0005951d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5951D 16416 bytes
SHA-256: cfa2c3fbce80cc5607e01af033b793d17c57c214fb1d96e845eedea48cccd336
font_01_sfnt_off0005abc1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5ABC1 10844 bytes
SHA-256: d178bad7e8d4d98c5d61766fd3efbb4182a6a72fe0ae587dae4a969e24914dd3
font_02_sfnt_off0005c4cc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5C4CC 16548 bytes
SHA-256: 9d32d90503b88c2b5ea61987ce0e5f901ba8a5171596798b34ed58011521eecd