Malicious PDF — malware analysis report

Static analysis result for SHA-256 bdc3fc3a5accadff…

MALICIOUS

PDF

89.4 KB Created: 2021-06-30 23:56:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-06-05
MD5: 5e8c371ca6c1c2bc42d440c063ab037a SHA-1: aac693ece1e7eeb476463bf035f985bd311075da SHA-256: bdc3fc3a5accadffd49a6b803c8b871d5d1c041dcf6c2fc02352198bf504f783
236 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged by ML classifiers and ClamAV as malicious. It contains heuristics indicating it's a link farm and a lure for clipboard command execution, suggesting it's designed to trick users into running commands. The document also mentions password-protected archives, a common tactic to bypass security scans. The embedded URLs likely lead to further stages of the attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9942

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://irlanc.ru/uplcv?utm_term=pdf+footer+removal+online PDF link annotation
    • https://adbadog.com/wp-content/plugins/super-forms/uploads/php/files/ce9e624d253e6ed04aa39c538e9db21b/xiwapegizubeximoparizin.pdfIn PDF document text
    • http://mondoacquapiscine.com/userfiles/files/80518074567.pdfIn PDF document text
    • http://for-rent-antwerp.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b451b0ead07---4737511615.pdfIn PDF document text
    • https://cwlighting.com/wp-content/plugins/super-forms/uploads/php/files/09d8a4d86d101446e6475a2d8ee19f2d/jixobifixemu.pdfIn PDF document text
    • https://stcatherine.ac.ug/wp-content/plugins/formcraft/file-upload/server/content/files/160760b9a55d03---wagemas.pdfIn PDF document text
    • https://hoffmanowska.pl/wp-content/plugins/formcraft/file-upload/server/content/files/160aeb0f14c81c---46171975908.pdfIn PDF document text
    • http://susutour.com/userfile/file/74577658498.pdfIn PDF document text
    • http://esoftland.com/userfiles/file/47171363741.pdfIn PDF document text
    • https://tese.in/ckfinder/userfiles/files/15591114242.pdfIn PDF document text
    • https://ncfouting.com/wp-content/plugins/formcraft/file-upload/server/content/files/16092a753731c6---lerodagerexe.pdfIn PDF document text
    • http://www.medical-psychology.gr/wp-content/plugins/formcraft/file-upload/server/content/files/160c3248251a26---52536052306.pdfIn PDF document text
    • http://al-bandak.com/userfiles/file/rolavazu.pdfIn PDF document text
    • https://vizzzio.ru/wp-content/plugins/super-forms/uploads/php/files/fe6dfca305a9e22db5b3acccbabd9709/fakamewopobosixadef.pdfIn PDF document text
    • https://vinisfarm.com/wp-content/plugins/super-forms/uploads/php/files/b14d01fc31054bbe56ec723149b67ba9/zodudebidozija.pdfIn PDF document text
    • https://vdbergelectro.nl/wp-content/plugins/super-forms/uploads/php/files/20d4ecdfcd0b7d8a74c6c987cb0e770e/zedamawowonozi.pdfIn PDF document text
    • https://dermo.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a4aa6e8b8e5---54273807586.pdfIn PDF document text
    • https://sonarmusic.hu/up_image/file/14463323743.pdfIn PDF document text
    • https://cffcommunications.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1/1606c8fca0d392---57328409628.pdfIn PDF document text
    • https://cape-electronics.com/media/file/fosazinezasapojumuloronew.pdfIn PDF document text
    • http://www.restorationservice.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1608d191940fb4---bokulafusilepezuziw.pdfIn PDF document text
    • https://grupahatak.pl/admin/_fck_files/file/20454933225.pdfIn PDF document text
    • http://lideparts.com/userfiles/file/1622531666.pdfIn PDF document text
    • https://www.ptlittleflower.org/wp-content/plugins/super-forms/uploads/php/files/89n8dpvi88mfja54gg715oivgd/5515512805.pdfIn PDF document text
    • https://martybermanassociates.com/wp-content/plugins/super-forms/uploads/php/files/13293a70c835278a00544839f276a748/xazumojulufubamomuribuk.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f9ca.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF9CA 10412 bytes
SHA-256: 5b2cf613ed375f262a03610bd8e44cc6186f865d41ef21b543c43809f820da02
font_01_sfnt_off00011156.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11156 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off00012968.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12968 17960 bytes
SHA-256: f1a2d2708fb4776ac05eebf75153037c2d56321cd4bf093800c49c53d1c40bdc

Open this report in the interactive analyzer, or submit your own file for analysis.