Malicious PDF — malware analysis report

Static analysis result for SHA-256 94114c6925dd991c…

MALICIOUS

PDF

167.7 KB Created: 2022-03-01 08:56:22 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-06-12
MD5: 50948393d5fe73ee2e0741df934caab6 SHA-1: cf2e225ac25e9de787f950e285c326490e7ddd94 SHA-256: 94114c6925dd991cb886951352b27952b384656b2e53ab57ed631e8b517c8a7a
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript and numerous external URIs, many of which point to compromised CMS upload storage or are part of a link farm on disposable hosting. The ML classifier and ClamAV detection strongly indicate malicious intent, likely to redirect the user to phishing or malware hosting sites. The embedded JavaScript is a common technique for initiating malicious actions within PDF documents.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9965

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yubit.co.za/XSRYdR1H?utm_term=ashcroft+b7+pressure+switch+manual PDF link annotation
    • http://breakevenpoint.pl/uploads/editor/file/44304962351.pdfIn PDF document text
    • http://www.hypnotiseur.com/wp-content/plugins/formcraft/file-upload/server/content/files/161f90515789d3---dudoziwegedelukigeli.pdfIn PDF document text
    • http://www.garriagricola.com/wp-content/plugins/formcraft/file-upload/server/content/files/16211c8614864b---30896715293.pdfIn PDF document text
    • http://sakulchaiplace.com/Uploads/file/lewizatipamalato.pdfIn PDF document text
    • https://alteanetworks.fr/img/file/13124118698.pdfIn PDF document text
    • http://mitrasejati.co.id/assets/kcfinder/upload/files/xasadirigewotuloloxeni.pdfIn PDF document text
    • http://rts-3.ru/upload/files/24017424689.pdfIn PDF document text
    • https://poldercuptrofee.nl/site/admin/ckfinder/userfilesfiles/4497106277.pdfIn PDF document text
    • http://aitrans.cn/UploadFile/file/F1202202240448099956.pdfIn PDF document text
    • http://siva.re/app/webroot/js/kcfinder/upload/files/serox.pdfIn PDF document text
    • http://lingeriedediva.com/UploadFile/file/2022021703142673499.pdfIn PDF document text
    • http://kor-ra.ru/UserFiles/file/24616052674.pdfIn PDF document text
    • http://xn--h49al33a2zdp0eo1x.com/DATA/file/20220203114425.pdfIn PDF document text
    • http://aliancegroup.su/wp-content/plugins/formcraft/file-upload/server/content/files/162020542220e5---vinilazibupizalaxufimabe.pdfIn PDF document text
    • https://www.travelknowhowscotland.co.uk/assets/js/ckfinder/userfiles/files/78295188947.pdfIn PDF document text
    • http://gpmpoolandspa.com/ckfinder/userfiles/files/89465147276.pdfIn PDF document text
    • https://centar-znr-zop.hr/wp-content/plugins/formcraft/file-upload/server/content/files/162135584e2edd---zanevuvosunagineridanon.pdfIn PDF document text
    • https://archicakedesign.com/upload/file/fefizumetiwukisepev.pdfIn PDF document text
    • https://mimpishio1bet.com/contents/files/gikol.pdfIn PDF document text
    • http://essential-people.com/USAID/file/favomuzefoz.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002368c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2368C 11100 bytes
SHA-256: 6f8aad5520716397184e220b4442fa644353f0f219a62cedfdfce4909f08b8f0
font_01_sfnt_off0002502a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2502A 16560 bytes
SHA-256: 924ad5cb737cfd9a34472b2046831991df4d3950e5f0d7b552a18309318c2ee9
font_02_sfnt_off00026745.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x26745 16408 bytes
SHA-256: e2e87ebc57b1ba5fb1a7e64280ba0edd48dd72241b10c37a6a639d1ce57fcce1