Malicious PDF — malware analysis report

Static analysis result for SHA-256 aa81c9da69701c86…

MALICIOUS

PDF

319.2 KB Created: 2022-04-06 03:49:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-06-07
MD5: 896f3232b7574451ab7cee1b18e5f366 SHA-1: 826673254481fa94156f506ee31b66ddea17bc16 SHA-256: aa81c9da69701c86df73cb400c396a288c58c8e6739a40ae783b791e57fd28ea
136 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.6935

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://podar.co.za/XSRYdR1H?utm_term=super+vegeta+2+xenoverse+2 PDF link annotation
    • https://wujawosekeg.weebly.com/uploads/1/3/4/7/134712458/pixaxetitamo.pdfIn PDF document text
    • https://pefupofavuxugo.weebly.com/uploads/1/4/1/2/141249676/tokerob.pdfIn PDF document text
    • https://danabemove.weebly.com/uploads/1/3/0/7/130776083/duluzuvi-dudapi-lukizun-selewa.pdfIn PDF document text
    • https://bawimivumo.weebly.com/uploads/1/3/4/6/134609907/xekolafurerogik.pdfIn PDF document text
    • https://guxaxomamuviwo.weebly.com/uploads/1/4/1/3/141331967/riregexifag.pdfIn PDF document text
    • https://jefibapo.weebly.com/uploads/1/3/2/7/132712451/c3b6581535a3.pdfIn PDF document text
    • https://sabuzirovapun.weebly.com/uploads/1/3/0/8/130813511/xegebalopitima-monufuv-nojetipabor-difokami.pdfIn PDF document text
    • https://kvgrup.com.ua/wp-content/plugins/formcraft/file-upload/server/content/files/1623a0e22c138f---98485513929.pdfIn PDF document text
    • https://tovibimatajo.weebly.com/uploads/1/3/5/9/135963052/4586236.pdfIn PDF document text
    • https://galofufe.weebly.com/uploads/1/3/1/3/131384583/3302091.pdfIn PDF document text
    • https://kiwudete.weebly.com/uploads/1/3/7/4/137499522/eeb62e2a2d7741.pdfIn PDF document text
    • https://mudobimug.weebly.com/uploads/1/3/4/8/134853100/mufep_papapupemabesa.pdfIn PDF document text
    • https://xn--80aab4aif1bzi.xn--07-6kc3bf4angc2g.xn--p1ai/files/files/35672970265.pdfIn PDF document text
    • https://nenesasexogo.weebly.com/uploads/1/3/5/4/135400776/2213628.pdfIn PDF document text
    • https://vorimebexefup.weebly.com/uploads/1/3/5/9/135960379/099458.pdfIn PDF document text
    • https://shiokuda1.com/contents/files/57022325810.pdfIn PDF document text
    • https://ranepudanaliv.weebly.com/uploads/1/3/4/0/134000181/riwivere.pdfIn PDF document text
    • https://wipuzene.weebly.com/uploads/1/3/5/9/135971348/dilolalirijil.pdfIn PDF document text
    • https://gebopudexor.weebly.com/uploads/1/3/4/4/134482947/vukidalubagudez-guguvoduw-jabevaluzu-gadevafu.pdfIn PDF document text
    • http://alzinda.fr/ckeditor/kcfinder/upload/files/24586364678.pdfIn PDF document text
    • http://ttech.com.vn/ckeditor/kcfinder/upload/files/85336730182.pdfIn PDF document text
    • https://nonesuwenuvav.weebly.com/uploads/1/3/4/4/134400251/dasulukid.pdfIn PDF document text
    • https://fukorolavo.weebly.com/uploads/1/3/4/6/134639224/c276dc0cacc2.pdfIn PDF document text
    • https://smarttactic.ro/wp-content/plugins/formcraft/file-upload/server/content/files/162431fa10c6fd---44059091716.pdfIn PDF document text
    • https://wifaborasumekig.weebly.com/uploads/1/3/2/6/132695644/tagosub.pdfIn PDF document text
    • https://rumefonurotu.weebly.com/uploads/1/3/0/7/130740232/be2f4da956f48d.pdfIn PDF document text
    • http://oipipleszno.pl/userfiles/file/sudikozizibugadik.pdfIn PDF document text
    • https://lasajixifu.weebly.com/uploads/1/3/7/5/137515251/d03993137a.pdfIn PDF document text
    • https://julotovodirol.weebly.com/uploads/1/3/4/5/134522883/nixipezuwubuka_lafapulopu_zowewet_watoxaz.pdfIn PDF document text
    • https://melekutiruj.weebly.com/uploads/1/3/2/7/132740408/c3e6f76cfac41e.pdfIn PDF document text
    • https://cargobull.cz/res/file/vozezugawagi.pdfIn PDF document text
    • https://faniwavuguvupos.weebly.com/uploads/1/3/4/4/134478403/mewujije.pdfIn PDF document text
    • https://nevipezuke.weebly.com/uploads/1/3/4/6/134652321/wuzatolutaselagara.pdfIn PDF document text
    • https://dubuzosokiboxof.weebly.com/uploads/1/3/1/1/131163723/fuguzerexa.pdfIn PDF document text
    • http://gniortho.com/files/Upload/file/29428963422.pdfIn PDF document text
    • http://xn--80apabice8bfaf.net/kcfinder/upload/files/gavow.pdfIn PDF document text
    • https://zidivopopa.weebly.com/uploads/1/3/4/3/134373798/4840183.pdfIn PDF document text
    • http://bndweb.nl/upload/files/58583879883.pdfIn PDF document text
    • http://job.nspu.ru/ckeditor/kcfinder/upload/files/nusorusapamox.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000485b4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x485B4 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off00049dc6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x49DC6 21012 bytes
SHA-256: 24bf4ff559dc0beb66bc3dc4093571eddb05b4961337d0f36cdf51cfe7853e5e
font_02_sfnt_off0004d421.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4D421 10752 bytes
SHA-256: 947fc223804e89ed89a1cd8f2ae15d8a6de0455fb1ed3e0640f6cb5bf4f0ea59

Open this report in the interactive analyzer, or submit your own file for analysis.