PDF malware analysis — malicious · c96696f06578f042

MALICIOUS

PDF

93.7 KB Created: 2021-06-29 14:03:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-06-05

MD5: ae3c86c8129e038401a92670279a1e4a SHA-1: 1f2404803d68e63a3caa1978b414db7033e95e0a SHA-256: c96696f06578f04254fa2b84fea1b46aeff14cd4ee1b514bbb653a44598e01df

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous external links, with several heuristics indicating it functions as a link farm. Notably, some links point to compromised WordPress upload storage, suggesting a potential distribution or redirection mechanism. The ML classifier strongly flagged this PDF as malicious, supporting the assessment of a malicious intent, likely to lure users to potentially harmful sites.

Machine Learning

Nyx PDF Classifier malicious score 0.9991

Heuristics 5

PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://semsaesp.com/ckfinder/userfiles/files/sipowolu.pdf In PDF document text
- http://xn--b1ahhafccpgkb2bxo.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/49069093c030c02c81d5e79ad38da925/fepadotubevuvom.pdfIn PDF document text
- https://ajitcoatings.com/uploads/nijomuwanetenib.pdfIn PDF document text
- https://penal-garazh.ru/files/15070872328.pdfIn PDF document text
- https://southtours.com/wp-content/plugins/super-forms/uploads/php/files/ic7ufji5g8go2277lkde26jj61/sazamuselote.pdfIn PDF document text
- https://wsbtitan.com/images/file/53396871953.pdfIn PDF document text
- https://mudateconmigo.cl/wp-content/plugins/super-forms/uploads/php/files/6a9fb7440bc7a24843448060a7eadf5f/29297860182.pdfIn PDF document text
- http://schoonhovensvrouwenkoor.nl/ckfinder/userfiles/files/38816413035.pdfIn PDF document text
- https://rescue.bg/wp-content/plugins/formcraft/file-upload/server/content/files/16086ccea9824a---tebixexonudeb.pdfIn PDF document text
- http://kipia-nn.ru/userfiles/file/weladiwital.pdfIn PDF document text
- https://skyfireconsulting.com/wp-content/plugins/super-forms/uploads/php/files/52au8kj244qjfkqse77fgfk13c/22846268519.pdfIn PDF document text
- http://busankid.com/webfiles/board/file///totujalugolunoxozumexef.pdfIn PDF document text
- https://amenagementsoleil.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c605941d468---rubokomajeden.pdfIn PDF document text
- https://joefairless.com/wp-content/plugins/super-forms/uploads/php/files/06b96908656a23f3e378724386ee637f/pupav.pdfIn PDF document text
- https://www.18fire.com/wp-content/plugins/super-forms/uploads/php/files/1ccc942ec7030e52986d06a939b81750/jerogogokobewabim.pdfIn PDF document text
- http://asesoriagarpe.com/wp-content/plugins/formcraft/file-upload/server/content/files/16070644b43b04---febikuzoj.pdfIn PDF document text
- http://lookupagency.es/wp-content/plugins/formcraft/file-upload/server/content/files/1606cb403eb886---54503906138.pdfIn PDF document text
- https://feedproxy.google.com/~r/skout/mBVl/~3/cv9VXjIrmdE/uplcv?utm_term=state+park+cabinsPDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00010dfb.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10DFB	10508 bytes
SHA-256: `383e5d55cb25924de7fa136eb996dac3245ac46824f6e9090eaf16710caec10b`
`font_01_sfnt_off000125c2.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x125C2	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`
`font_02_sfnt_off00013dd4.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13DD4	17116 bytes
SHA-256: `de11950e3c3fc89a652cfb1c54c026992a496be6cdf805f7718a779bf1f39f29`

Open this report in the interactive analyzer, or submit your own file for analysis.