Malicious PDF — malware analysis report

Static analysis result for SHA-256 941657588963304a…

MALICIOUS

PDF

334.7 KB Created: 2022-02-03 05:17:44 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-06-12
MD5: 4e45de2cf88f7c289ac74a5cb437efe8 SHA-1: 4f6c16424613f896f26500b9069cf0615600f5b7 SHA-256: 941657588963304ada9ee02b826aa0d1f276f45db5b9e3071ed2624cf6ba5850
176 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.5565

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://tevav.co.za/XSRYdR1H?utm_term=agar.+io+mod+apk+latest PDF link annotation
    • https://konferencia2014.medius.sk/userfiles/file/pinabaj.pdfIn PDF document text
    • https://www.bosingels.nl/ckfinder/userfiles/files/40540791203.pdfIn PDF document text
    • http://vallovin.it/userfiles/files/vututej.pdfIn PDF document text
    • https://vdbergelectro.nl/wp-content/plugins/super-forms/uploads/php/files/d0dc9680d1f7a0e8ada4cc30a1150ce7/xerajamalodawo.pdfIn PDF document text
    • http://xn--80aaa6aachkjln0qra.xn--p1ai/ckfinder/userfiles/files/werogosobulejavojatul.pdfIn PDF document text
    • http://stringquartet.biz/web/images/fck/file/32762599040.pdfIn PDF document text
    • http://norilsk.torbay.ru/images/uploads/file/xinila.pdfIn PDF document text
    • https://orangcar.com/app/webroot/upload/files/tunon.pdfIn PDF document text
    • https://mosallaesf.ir/uploads/ck/files/63979016300.pdfIn PDF document text
    • http://virtualcharityevents.com/vce_cake/files/files/70449813716.pdfIn PDF document text
    • http://xn----7sbndn5at.xn--p1ai/uploads/files/37457509527.pdfIn PDF document text
    • https://www.hippocratio.gr/ckfinder/userfiles/files/9762257769.pdfIn PDF document text
    • http://bearings-home.com/userfiles/file/faforutadiwesosorubajov.pdfIn PDF document text
    • http://gokea.org/upload/editor/files/17977309479.pdfIn PDF document text
    • http://mtcongnghiepxanh.com/upload/fckimagesfile/57835761487.pdfIn PDF document text
    • http://oppedisanorobertosrl.com/userfiles/files/27450173847.pdfIn PDF document text
    • http://cobe-ing.it/userfiles/files/39255570487.pdfIn PDF document text
    • http://355353.ru/userfiles/file/kuxuwurilifozupozel.pdfIn PDF document text
    • https://vdbergelectro.nl/wp-content/plugins/super-forms/uploads/php/files/b4c7ba8b755ff1789856fa4da0e60d0a/79240623884.pdfIn PDF document text
    • https://coombs.gocascadia.com/images/cms/file/fanifuxetefi.pdfIn PDF document text
    • https://ldcpc.com/ckfinder/userfiles/files/13661116540.pdfIn PDF document text
    • https://sogelec-eng.com/files/ckfinder/files/68696641153.pdfIn PDF document text
    • https://baatco.com/ckfinder/userfiles/files/levikadixolukijeza.pdfIn PDF document text
    • https://amesmedicalservices.com/wp-content/plugins/formcraft/file-upload/server/content/files/1617044511ad44---zonikulowowoloxef.pdfIn PDF document text
    • http://nuovojob.com/userfiles/files/13913533753.pdfIn PDF document text
    • http://grafittipng.com/userfiles/files/desigubufofenonekesibuz.pdfIn PDF document text
    • http://freewest.at/losozo.pdfIn PDF document text
    • http://studiotecnicobergamaschi.it/userfiles/files/81438267020.pdfIn PDF document text
    • http://beerskiboot.de/img/upload/file/28615651905.pdfIn PDF document text
    • http://wirheiraten.de/images/file/67806709994.pdfIn PDF document text
    • http://www.tlo.ntou.edu.tw/ckfinder/userfiles/files/50675201669.pdfIn PDF document text
    • https://newline-eg.com/userfiles/file/kilujodurufewipimezaraxa.pdfIn PDF document text
    • http://ahjygjg.com/upload_fck/file/2021-10-20/20211020002629624852.pdfIn PDF document text
    • http://www.fliesen-brill.de/wp-content/plugins/formcraft/file-upload/server/content/files/160ed927334247---mazezusiro.pdfIn PDF document text
    • http://panhongbo.com/ckfinder/userfiles/site_eachfun_com/files/5882566598.pdfIn PDF document text
    • http://kukdae.com/files/fckeditor/file/710695258.pdfIn PDF document text
    • http://pscemetery.com/userfiles/file/lokinilekekorabojudaxiko.pdfIn PDF document text
    • http://qianlong99.org/ckfinder/userfiles/files/5767481359.pdfIn PDF document text
    • http://btfa.tw/upload/files/50097896236.pdfIn PDF document text
    • http://arohitourandtravels.com/userfiles/file/99591876532.pdfIn PDF document text
    • http://luijkzonwering.nl/image/file/45599275828.pdfIn PDF document text
    • http://premiumresourcing.com/wp-content/plugins/formcraft/file-upload/server/content/files/161cc95200fa4b---76716454190.pdfIn PDF document text
    • http://nyett.hk/uploads/news/files/92319580885.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    +2 more URL(s)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0004cd28.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4CD28 17364 bytes
SHA-256: c29d743c138bd581758608462b289c3f2a885cdad95828a66cf365149741a3bb
font_01_sfnt_off0004fa47.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4FA47 10768 bytes
SHA-256: 292c8f2313f23566bc4309a7d3e3aac87c17dbf560f160d8e181cc94083a44e2
font_02_sfnt_off000512ec.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x512EC 16560 bytes
SHA-256: 924ad5cb737cfd9a34472b2046831991df4d3950e5f0d7b552a18309318c2ee9