PDF malware analysis — malicious · 8dcb0981172a1d2e

MALICIOUS

PDF

86.4 KB Created: 2021-06-27 22:56:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-06-05

MD5: b1c8b31a2898f66f3da485e3bf993493 SHA-1: e337660a9f6990df0ca5798fab39cfa026ecb868 SHA-256: 8dcb0981172a1d2e620d5da8ed29eedb6508ece88e9a603c542c473e321148c9

176 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The 'SE_CALLBACK_LURE' heuristic suggests the document is designed to trick the user into calling a phone number, a common tactic in phishing and tech-support scams. The document contains numerous links to external PDFs hosted on compromised WordPress sites and disposable hosting, likely part of a link farm to improve search engine ranking or distribute malicious content. No scripts were extracted from this sample.

Machine Learning

Nyx PDF Classifier malicious score 0.9952

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Callback phishing phone lure medium SE_CALLBACK_LURE

Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://melissajacksonmd.com/wp-content/plugins/formcraft/file-upload/server/content/files/16072814c22b65---79308283118.pdf In PDF document text
- https://baoyi-chuck.com/ckfinder/userfiles/files/vadavodizibejuvopegidafe.pdfIn PDF document text
- http://morgancountyoh.com/userimages/nigowobovamupefemix.pdfIn PDF document text
- https://ifacemount.com/wp-content/plugins/super-forms/uploads/php/files/epugc6a5kmv16l9ms56rb64kph/28533329972.pdfIn PDF document text
- http://afghansolar.com/userfiles/file/tiwaxoxaluvododopoz.pdfIn PDF document text
- https://www.guestquesttravelmedia.com/wp-content/plugins/super-forms/uploads/php/files/huue5tqtuvuocu6jtaj42bt4uq/96098121319.pdfIn PDF document text
- http://peaceinsrilanka.lk/userfiles/file/zigigemususunogamako.pdfIn PDF document text
- https://www.marthatrotts.ca/wp-content/plugins/formcraft/file-upload/server/content/files/160ac912f1ebcf---86522026930.pdfIn PDF document text
- https://adm.allianceflooring.net/wp-content/plugins/super-forms/uploads/php/files/1f2b48a4c4baf561ae1c5340852c4191/49700204993.pdfIn PDF document text
- https://www.booster-p.com/wp-content/plugins/formcraft/file-upload/server/content/files/160cffdbe56080---83690028978.pdfIn PDF document text
- http://www.gainerwindows.ca/wp-content/plugins/super-forms/uploads/php/files/pfc9pipbrps0os1sj03k6nohu5/30933639451.pdfIn PDF document text
- https://bonpetsupply.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607b792591515---64774721343.pdfIn PDF document text
- http://totalfinance.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1606fb6bc72cef---jixalogikudenata.pdfIn PDF document text
- https://stewsites.com/wp-content/plugins/super-forms/uploads/php/files/deb6775acc2d4cfb8b590044175e283a/51930695590.pdfIn PDF document text
- https://oknoplus-omsk.ru/wp-content/plugins/super-forms/uploads/php/files/8147c9a86f10b7cc8f48e955f3e3124d/vidot.pdfIn PDF document text
- http://elenasteele.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d1ddc4b4029---kuxujuwitinagil.pdfIn PDF document text
- http://aquamedia.cn/ckfinder/userfiles/files/jozetevuzolalewanoka.pdfIn PDF document text
- https://plumcourse.com/wp-content/plugins/super-forms/uploads/php/files/33a02f7014d78ffa51704f91abbaa513/84773652633.pdfIn PDF document text
- http://przychodnia-felinskiego.pl/uploads/editor/file/2338440534.pdfIn PDF document text
- http://rld-carbon.ru/file/robepagavipemafak.pdfIn PDF document text
- https://ahi.com.ua/wp-content/plugins/super-forms/uploads/php/files/75e15e8050d322d8cff9aa6234f146a0/61510511682.pdfIn PDF document text
- http://www.tsssport.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a73f2ee9e67---6207665085.pdfIn PDF document text
- https://www.azulejositurry.com/wp-content/plugins/super-forms/uploads/php/files/ncrjo2sci227ugac02j4tdhbg6/kovoteva.pdfIn PDF document text
- https://feedproxy.google.com/~r/Uplcv/~3/DOqCt-cVA4I/uplcv?utm_term=most+volatile+stocks+in+nifty+50PDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000ec83.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEC83	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`
`font_01_sfnt_off00010495.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10495	17660 bytes
SHA-256: `9ad7b59ade659814f755708cfd83f65b5e6a82222ac19cb30fecac7325dc4708`
`font_02_sfnt_off00013344.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13344	10752 bytes
SHA-256: `f308ace425980ff6ac54367790b3f21d20cc24b6388cc57f8729c885c8a2b052`

Open this report in the interactive analyzer, or submit your own file for analysis.