Malicious PDF — malware analysis report

Static analysis result for SHA-256 aafb52349745d103…

MALICIOUS

PDF

68.1 KB Created: 2021-05-27 23:09:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-05
MD5: 8cda453033a3326c505981d71ad8023d SHA-1: 2770b8a9839f5af304b12b7d93bcc733ceff89bc SHA-256: aafb52349745d103603ea1fb4ad093129c280c20bedb55e4be56b12cbac4a995
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous embedded URLs, many of which point to compromised WordPress upload directories, suggesting it functions as a link farm designed to redirect users to malicious sites. The presence of these links and the overall structure strongly suggest a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8421

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://stallion-international.com/userfiles/file/3620808450.pdf In PDF document text
    • http://www.zulfugar.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160ab41ab0511e---kudeboti.pdfIn PDF document text
    • https://www.rogierstoel.nl/wp-content/plugins/super-forms/uploads/php/files/6euvnitvo75elmo2if9mk41qst/85078674466.pdfIn PDF document text
    • http://www.iycadana.org/wp-content/plugins/super-forms/uploads/php/files/4ra07dhs00jf6lavgeb8ph0e40/80717276481.pdfIn PDF document text
    • https://bettenbaehren.de/wp-content/plugins/formcraft/file-upload/server/content/files/160760e96befbe---79546178757.pdfIn PDF document text
    • https://forcechicago.com/wp-content/plugins/super-forms/uploads/php/files/d920d3eb6f4bd137041e760f50266914/53469548500.pdfIn PDF document text
    • https://amartzon.store/wp-content/plugins/super-forms/uploads/php/files/aa0c12d30d8b997b083fcaf104979112/23054193122.pdfIn PDF document text
    • https://mziagroup.com/wp-content/plugins/super-forms/uploads/php/files/eamqr61g6nfip3l5aqi5tt81li/22831184892.pdfIn PDF document text
    • http://ndt-tl.ru/upload/file/28610648335.pdfIn PDF document text
    • http://ziepniekkalns.lv/wp-content/plugins/formcraft/file-upload/server/content/files/160a0fb521d9d4---91733409625.pdfIn PDF document text
    • https://razvozka24.ru/wp-content/plugins/super-forms/uploads/php/files/186ff00c4dff52e857e14cdaeb144411/36345822353.pdfIn PDF document text
    • http://adveotec.com/img/file/15063072694.pdfIn PDF document text
    • https://www.onestopnaturalstore.ca/wp-content/plugins/super-forms/uploads/php/files/l6lm8rfj06269mp6g1sifaesnr/raburabadaxogazin.pdfIn PDF document text
    • https://www.superioreagle.com/wp-content/plugins/formcraft/file-upload/server/content/files/16082f26d146b3---wixamos.pdfIn PDF document text
    • https://www.alphaveneers.com/wp-content/plugins/super-forms/uploads/php/files/ccd87faff93e69a9e91f1899df92b261/molireperi.pdfIn PDF document text
    • http://payassistinc.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609acc07c08cc---49440751162.pdfIn PDF document text
    • https://refour.eu/wp-content/plugins/super-forms/uploads/php/files/ea58007ab530f2a86bbb988c9e663582/6951896362.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/3CAf4wW3hvY/uplcv?utm_term=nakamichi+soundspace+9+user+manualPDF link annotation
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f9bc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF9BC 5500 bytes
SHA-256: 934623d6500f2f1864ebbf3f7d3164568aaaa202b63801da297f81f051ba7a15

Open this report in the interactive analyzer, or submit your own file for analysis.