Malicious PDF — malware analysis report

Static analysis result for SHA-256 a4f73b774766205b…

MALICIOUS

PDF

383.4 KB Created: 2022-03-27 11:09:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-07-01
MD5: b6e4a5c00bd0c852a491b00b32a92140 SHA-1: deaaa65712ecbddc6be95cf2d564ab5eb83dfc39 SHA-256: a4f73b774766205b4b95e37cdc30f69b4988ef96e8648d6a2123fc89d1ed5a65
206 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.6037

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yubit.co.za/XSRYdR1H?utm_term=remembrance+tattoos+for+brother PDF link annotation
    • https://mai-avto.ru/upload_files/file/51272695072.pdfIn PDF document text
    • http://sualpturizm.com/userfiles/file/80259541787.pdfIn PDF document text
    • https://e-tta.com/app/webroot/userfiles/files/burubozaluleve.pdfIn PDF document text
    • https://alinassociates.com/assets/kcfinder/upload/files/92498771971.pdfIn PDF document text
    • https://lakecountyoralsurgery.com/wp-content/plugins/formcraft/file-upload/server/content/files/1620056258c025---sojisugilago.pdfIn PDF document text
    • https://www.sinditamaraty.org.br/site/public/ckeditor/kcfinder/upload/files/53224012589.pdfIn PDF document text
    • https://artgallery.devctn.com/ckfinder/userfiles/files/91718986141.pdfIn PDF document text
    • http://exteractif.fr/pictures/2/29860967567.pdfIn PDF document text
    • https://myslivna.posilatko.cz/files/wswg/file/parubuvedaxatutimoxezi.pdfIn PDF document text
    • http://jerseysolarenergysystems.com/userfiles/file/41869064551.pdfIn PDF document text
    • http://sushi-belovo.ru/files/13976811788.pdfIn PDF document text
    • https://staffinghub.complifly.com/ckeditor/kcfinder/upload/files/97470659841.pdfIn PDF document text
    • https://www.seminariosanpiox.it/ckeditor/kcfinder/upload/files/99536158848.pdfIn PDF document text
    • http://milcontabil.com.br/wp-content/plugins/super-forms/uploads/php/files/34r4auu0pcs7tgcfgcq0u2uh80/rozuxovijinozetapopo.pdfIn PDF document text
    • http://unternehmensberatung-hegenbarth.de/userfiles/file/wuzobunefaverigolutejoz.pdfIn PDF document text
    • http://bangtutrang.com/upload/files/rorubisaseresov.pdfIn PDF document text
    • https://inclinedigital.com/wp-content/plugins/formcraft/file-upload/server/content/files/1620f096b022e0---jidakipafosozoxikufafu.pdfIn PDF document text
    • http://abbaorphancare.org/survey/userfiles/files/12725208774.pdfIn PDF document text
    • http://proclima-membranes.ru/userfiles/file/17428667074.pdfIn PDF document text
    • http://meruzhankhachatryan.com/app/webroot/files/file/kupemoxuviximubu.pdfIn PDF document text
    • http://interstyle.org/content/xuploadimages/file/33269877583.pdfIn PDF document text
    • https://www.albispanaderia.com/wp-content/plugins/super-forms/uploads/php/files/a0fcc4e8c6c411e147cfc21b436cb44f/11678529806.pdfIn PDF document text
    • http://sochi-vitrazhi.ru/ckfinder/userfiles/files/30148152767.pdfIn PDF document text
    • http://irmascaritasdejesus.org.br/wp-content/plugins/formcraft/file-upload/server/content/files/162037148a7317---39522671990.pdfIn PDF document text
    • http://aquaview.net/uploads/assets/files/83775336892.pdfIn PDF document text
    • http://chinamakina.com/userfiles/file/74225510566.pdfIn PDF document text
    • https://savvybusiness.eu/klc/file/febem.pdfIn PDF document text
    • https://mi-stores.com/basketballtotaal/images/editor/file/86124172588.pdfIn PDF document text
    • http://okun.su/upload/file/wijevesebedareriz.pdfIn PDF document text
    • https://ncfouting.com/wp-content/plugins/formcraft/file-upload/server/content/files/16227eacc3637e---xujuxajewabeluwunumupigi.pdfIn PDF document text
    • http://expertsystemgroup.com/file_media/file_image/file/tisazasafo.pdfIn PDF document text
    • http://debandhelder.nl/ckfinder/userfiles/files/31092253203.pdfIn PDF document text
    • http://julieesteban.com/wp-content/plugins/formcraft/file-upload/server/content/files/1622c8a31c64c8---kigikigivikiruzem.pdfIn PDF document text
    • http://dothimau.vn/kcfinder/upload/files/dapudefemajedabetobupepak.pdfIn PDF document text
    • http://raudhatuljannah-gma.com/assets/kcfinder/upload/files/warulal.pdfIn PDF document text
    • http://huichem.com/ckfinder/userfiles/files/70503183859.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn extracted file (font_00_sfnt_off00058f9e.bin)
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn extracted file (font_00_sfnt_off00058f9e.bin)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00058f9e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x58F9E 17800 bytes
SHA-256: a2400067a3428dfc4ac9178cd2ec778e952476f12b62a4903b59f4c2ecd70236
font_01_sfnt_off0005be49.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5BE49 16560 bytes
SHA-256: 924ad5cb737cfd9a34472b2046831991df4d3950e5f0d7b552a18309318c2ee9
font_02_sfnt_off0005d569.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5D569 10648 bytes
SHA-256: d97d605642c760bb276a0baa27440d3965d5dadfc4872b3b2f3457266f5dba64