Malicious PDF — malware analysis report

Static analysis result for SHA-256 af28462dcfc0f5ff…

MALICIOUS

PDF

476.0 KB Created: 2022-02-04 17:05:53 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-06-22
MD5: 61bb2b5cde08a2f059d4196b6a21b7b6 SHA-1: 71d531578a665160a01ef2be56fe3a133b55af82 SHA-256: af28462dcfc0f5ffba2c30f4a6c93608a5584ee7b8a86fe6e75b5debabebf65d
136 Risk Score

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3225

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lovig.co.za/XSRYdR1H?utm_term=schedule+d+2018+form+1040 PDF link annotation
    • https://www.advids.co/wp-content/plugins/formcraft/file-upload/server/content/files/161ed6a9fc7424---3483584931.pdfIn PDF document text
    • http://jia-longsofa.com/uploadpic/jialong151126/files/202111301553185485.pdfIn PDF document text
    • http://ruresept.ru/files/file/65173928651.pdfIn PDF document text
    • http://classtool.info/upload/files/terivekogisi.pdfIn PDF document text
    • http://www.julietlandau.com/fckeditor/userfiles/file/51183350779.pdfIn PDF document text
    • http://maszyny.pl/userfiles/file/98073445356.pdfIn PDF document text
    • https://oncallanatomist.com/ckfinder/userfiles/files/88840662849.pdfIn PDF document text
    • http://villaturri.it/wp-content/plugins/formcraft/file-upload/server/content/files/1616f4f453339d---75155971123.pdfIn PDF document text
    • http://pamat.ro/UserFiles/file/falatudupivejisa.pdfIn PDF document text
    • http://iphysiology.ru/upload/36653674178.pdfIn PDF document text
    • https://anep.it/ckeditor/kcfinder/upload/files/pebuvupuserug.pdfIn PDF document text
    • http://gtlmarinefuel.com/userfiles/file/95400410899.pdfIn PDF document text
    • https://graveyards-fuj.ae/userfiles/files/repinifididudemukepiboda.pdfIn PDF document text
    • http://ibtaker.ps/userfiles/file/kifuniburamojibebor.pdfIn PDF document text
    • https://dentalrud.com/userfiles/file/17644521911.pdfIn PDF document text
    • https://possamaiferramenta.it/uploads/file/numudagamevezag.pdfIn PDF document text
    • http://www.mtpartnersfl.com/wp-content/plugins/formcraft/file-upload/server/content/files/161821f934462c---43285278836.pdfIn PDF document text
    • https://ateneoarbonaida.com/wp-content/plugins/formcraft/file-upload/server/content/files/1616556167406a---meluso.pdfIn PDF document text
    • https://www.jakketoes.be/ckfinder/userfiles/files/fitenuvuwuduja.pdfIn PDF document text
    • https://www.officinadelgustoroma.com/wp-content/plugins/super-forms/uploads/php/files/8a79d85ecfc4b95ab735c00fb7d0f119/10436624800.pdfIn PDF document text
    • http://ipceurope.be/assets/file/11855362796.pdfIn PDF document text
    • http://prplus4u.com/ckupload/files/56206414219.pdfIn PDF document text
    • http://jongauger.com/userfiles/file/bukajatu.pdfIn PDF document text
    • http://wanyuantemple.tw/userfiles/file/72957687248.pdfIn PDF document text
    • http://rcot.by/pics/files/biwonetugoxitefatupimu.pdfIn PDF document text
    • https://synersys.fr/contenu/file/78320513931.pdfIn PDF document text
    • http://www.serenissimaservizi.com/files/45601339362.pdfIn PDF document text
    • http://maschimaurizio.it/userfiles/files/tasijeko.pdfIn PDF document text
    • http://lustigersteirer.at/userfiles/file/xoguvoduxarit.pdfIn PDF document text
    • http://kayseritupbebektedavisi.com/angora/userfiles/file/botesuxefisopin.pdfIn PDF document text
    • http://rideabikenews.com/user_img/files/23992656251.pdfIn PDF document text
    • http://doors.syskon.eu/ckfinder/userfiles/files/fonubejiwutug.pdfIn PDF document text
    • http://barudan.hk/UploadFile/file/20210909105145801.pdfIn PDF document text
    • https://sdhouse.info/ckfinder/userfiles/files/86000464595.pdfIn PDF document text
    • http://www.marsagri.com/wp-content/plugins/formcraft/file-upload/server/content/files/161f4c89aa0d17---larujapoge.pdfIn PDF document text
    • http://alhouti.com/userfiles/file/tovudufuvetobufaleju.pdfIn PDF document text
    • http://business-baltic.com/myfiles/dok/40352773802.pdfIn PDF document text
    • https://resonanceacteurs.nl/userfiles/file/16837404719.pdfIn PDF document text
    • https://ist-lb1.istanajp.com/contents/files/51144907021.pdfIn PDF document text
    • http://www.grupotresa.com/uploads/kcfinder/upload/files/81796773395.pdfIn PDF document text
    • https://vnmmalta.com/userfiles/file/nizavatijiruzatogo.pdfIn PDF document text
    • https://ric-sb.si/uploads/files/49619477988.pdfIn PDF document text
    • http://theflowermaker.com/uploads/File/guxowo.pdfIn PDF document text
    • http://belovosushi.ru/files/13073554068.pdfIn PDF document text
    • http://normandyclassof79stl.com/clients/e/e1/e16d7b8530e96d8d426d6b963c92b0b5/File/jawowogisazaji.pdfIn PDF document text
    • http://okna-kurska.ru/page_edit/_samples/userfiles/files/repafepotuwubadopixipe.pdfIn PDF document text
    • https://parquesanalbertohurtado.cl/ckfinder/userfiles/files/40579734267.pdfIn PDF document text
    • http://birons.net/wp-content/plugins/super-forms/uploads/php/files/c6e1073d92e1edda29e6deb2a094234b/99857357774.pdfIn PDF document text
    • http://isagenixmakessense.com/ckfinder/userfiles/files/nudiluzivumopesupigubamiv.pdfIn PDF document text
    +8 more URL(s)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00070254.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x70254 16924 bytes
SHA-256: a30437d041a74263821adc8c9b46dd8f4401703f0af8c2043484302c503c3588
font_01_sfnt_off00072e86.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x72E86 10872 bytes
SHA-256: 28da369422f7224d442ae47389c444ed74565542d911715030b99a3ffbab31c1
font_02_sfnt_off000747d0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x747D0 16560 bytes
SHA-256: 924ad5cb737cfd9a34472b2046831991df4d3950e5f0d7b552a18309318c2ee9

Open this report in the interactive analyzer, or submit your own file for analysis.