Malicious PDF — malware analysis report

Static analysis result for SHA-256 afd5c1408607d26e…

MALICIOUS

PDF

325.5 KB Created: 2022-07-07 21:57:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-05-10
MD5: 28a9b1b510eb3f9853b44c343ef13a96 SHA-1: 88f99c1d0f31c9778401e729392a5ef4b83edb57 SHA-256: afd5c1408607d26efb6f8325d83a0d163ca3978f4314587cfa884b1f97a8508a
106 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.6989

Heuristics 5

  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://oalroax.com/c3?utm_term=bach+cello+suite+5+pdf+free+pdf PDF link annotation
    • https://tasivn.com/upload/ck/files/32082185375.pdfIn document body
    • https://www.carlosfunes.es/wp-content/plugins/formcraft/file-upload/server/content/files/161f93a7482dee---rinozofo.pdfIn document body
    • http://ylgems.com/file_media/file_image/file/sarif.pdfIn document body
    • https://asid.rw/userfiles/file/60914323810.pdfIn document body
    • https://www.advids.co/wp-content/plugins/formcraft/file-upload/server/content/files/16232cbae38892---kiwelo.pdfIn document body
    • http://training-solutions.ro/wp-content/plugins/formcraft/file-upload/server/content/files/16204aa0197102---7185056782.pdfIn document body
    • http://www.ponderosafestival.com/wp-content/plugins/formcraft/file-upload/server/content/files/162aba6e652a0c---suwirokut.pdfIn document body
    • http://churchtextile.com/userfiles/file/muwowikavodedukasojom.pdfIn document body
    • https://weblative.com/wp-content/plugins/super-forms/uploads/php/files/m9rcdf2i3387b1fvpg1u92tnov/75884546391.pdfIn document body
    • http://studiosantese.eu/userfiles/files/batago.pdfIn document body
    • http://xn--90ad5ackt1d.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/2b5471f55005a846687c73807d198711/95165402353.pdfIn document body
    • http://xn--or3bi2da319p.com/upload/fckeditor/file/41901258349.pdfIn document body
    • https://static1.squarespace.com/static/604aec14af289a5f7a539cf5/t/62bf67af9ad3dd7fd32bd123/1656711087832/kiroligir.pdfIn document body
    • https://static1.squarespace.com/static/604aea6a97201213e037dc4e/t/62c12f3c487959762cf0cfe8/1656827708977/77731996004.pdfIn document body
    • https://static1.squarespace.com/static/60aaf25e42d7b60106dc17aa/t/62b85a4b3495104834bda98f/1656248907693/portafolio_de_diseo_grafico_creativ.pdfIn document body
    • https://static1.squarespace.com/static/604aebe5436e397a99d53e8a/t/62c7062e4d6a5c44ab88959b/1657210415396/42983285916.pdfIn document body
    • https://static1.squarespace.com/static/60aaf27c8bac0413e6f804fa/t/62b2edef3e49983621a545a2/1655893487847/jokoxinirujoxi.pdfIn document body
    • https://static1.squarespace.com/static/60aaf27c8bac0413e6f804fa/t/62c069a88ede295f34961eba/1656777128872/cuantos_polines_por_m2_de_cimbra.pdfIn document body
    • https://static1.squarespace.com/static/60aaf27c8bac0413e6f804fa/t/62b4b65ee3457e5dc00c67a1/1656010335326/17663528388.pdfIn document body
    • https://static1.squarespace.com/static/604aec14af289a5f7a539cf5/t/62c41d0ba2541834b52fadad/1657019659495/munerofe.pdfIn document body
    • https://static1.squarespace.com/static/60aaf25e42d7b60106dc17aa/t/62b6f79b5e541e2575b2b27f/1656158108420/setudidimomebewodazolizo.pdfIn document body
    • https://static1.squarespace.com/static/604aec14af289a5f7a539cf5/t/62bedc52ae7edc461abbf1f3/1656675410961/alba_19_inch_led_tv.pdfIn document body
    • https://static1.squarespace.com/static/60aaf27c8bac0413e6f804fa/t/62bc91dcc79fa716050f860a/1656525277279/healthiest_smoothie_king_meal_replacement.pdfIn document body
    • https://static1.squarespace.com/static/60aaf27c8bac0413e6f804fa/t/62b2ede69745787d86b190ce/1655893478684/22892409699.pdfIn document body
    • https://static1.squarespace.com/static/604aebe5436e397a99d53e8a/t/62c4e7781eb1087975df6caf/1657071481381/wulasiranepasabimoton.pdfIn document body
    • https://static1.squarespace.com/static/604aea6a97201213e037dc4e/t/62bd1ebf784561521d45a232/1656561343495/materials_chemistry_fahlman.pdfIn document body
    • https://static1.squarespace.com/static/60aaf27c8bac0413e6f804fa/t/62c6b2f13ec89a282546e651/1657189106267/nuponoku.pdfIn document body
    • https://static1.squarespace.com/static/604aebe5436e397a99d53e8a/t/62bed28a1d99645b1e8f5c83/1656672907149/automatic_products_vending_machine_c.pdfIn document body
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document body
    • http://purl.org/dc/elements/1.1/In document body
    • http://ns.adobe.com/pdf/1.3/In document body
    • http://ns.adobe.com/xap/1.0/In document body
    • http://ns.adobe.com/xap/1.0/mm/In document body
    • http://ns.adobe.com/xap/1.0/rights/In document body
    • http://dejavu.sourceforge.netIn document body
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn document body

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0004b735.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4B735 20612 bytes
SHA-256: 78576132e2bd6754304382376506039e2a1a538d340f5e085a2c4315db4f4d3f
font_01_sfnt_off0004eda1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4EDA1 10900 bytes
SHA-256: 862ff23a370f15c6ce80cf7d0851697d61c58ada829d876a76d3c67bcfefb50f

Open this report in the interactive analyzer, or submit your own file for analysis.