Malicious PDF — malware analysis report

Static analysis result for SHA-256 d3e48ae8d4de75cb…

MALICIOUS

PDF

460.5 KB Created: 2022-05-09 18:03:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-06-20
MD5: 9e575a60692fa07992e9d2aec76c1f76 SHA-1: cdc8befe5ebe9f162eff0c3d505daa9e3f8aed26 SHA-256: d3e48ae8d4de75cb126ca3c7ebde5ef3608117d6e7856450e264376728331eb9
106 Risk Score

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4050

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://norin.co.za/XSRYdR1H?utm_term=gloomhaven+scoundrel+cards+pdf+download+torrent+pc PDF link annotation
    • https://rutenavujom.weebly.com/uploads/1/3/0/8/130814208/tapililipoz.pdfIn PDF document text
    • https://kajurizekevebok.weebly.com/uploads/1/3/4/5/134586758/xuzilup.pdfIn PDF document text
    • https://jezusoki.weebly.com/uploads/1/4/1/2/141279793/3184022.pdfIn PDF document text
    • https://fatoxugenonavin.weebly.com/uploads/1/3/4/8/134871404/0895a799c7.pdfIn PDF document text
    • https://xunamokisanuf.weebly.com/uploads/1/3/5/2/135296359/d2ba7d693.pdfIn PDF document text
    • https://vajojesorenum.weebly.com/uploads/1/3/0/9/130969616/4552702.pdfIn PDF document text
    • https://vufaredagisab.weebly.com/uploads/1/3/4/5/134585575/ef2e8.pdfIn PDF document text
    • https://favaruzikab.weebly.com/uploads/1/3/4/8/134871436/mojosenafurip_denesoj_jilabezovasi.pdfIn PDF document text
    • https://wowaximemufa.weebly.com/uploads/1/3/1/4/131453960/nenebanu.pdfIn PDF document text
    • https://buxijabis.weebly.com/uploads/1/3/5/3/135329720/009be0f203.pdfIn PDF document text
    • https://fevorixuf.weebly.com/uploads/1/3/4/6/134667435/3096062.pdfIn PDF document text
    • https://pokekuxabinupar.weebly.com/uploads/1/3/4/0/134016783/e81c3c09603fcce.pdfIn PDF document text
    • https://kiduravimuw.weebly.com/uploads/1/4/1/4/141431397/nikap.pdfIn PDF document text
    • http://scelosal.org/ckeditor/kcfinder/upload/files/75996156108.pdfIn PDF document text
    • https://tebutepeli.weebly.com/uploads/1/4/1/6/141678500/b044e32.pdfIn PDF document text
    • https://jubagimijan.weebly.com/uploads/1/3/5/3/135333733/jorune.pdfIn PDF document text
    • https://nuzokubipodopu.weebly.com/uploads/1/3/4/7/134732356/wurozurafipudab.pdfIn PDF document text
    • https://darugagoremu.weebly.com/uploads/1/3/4/5/134588092/566553.pdfIn PDF document text
    • http://progettocecinacuore.it/writable/public/userfiles/file/20111870154.pdfIn PDF document text
    • https://fenuwobubejugud.weebly.com/uploads/1/3/1/4/131454420/bifexakekovetopu.pdfIn PDF document text
    • https://molawakipo.weebly.com/uploads/1/3/1/3/131379716/fotutimuxefegekunomo.pdfIn PDF document text
    • https://kebovevuzus.weebly.com/uploads/1/4/1/6/141633975/ad704090740bfbf.pdfIn PDF document text
    • https://manogudezu.weebly.com/uploads/1/4/1/2/141281737/warukasobexa.pdfIn PDF document text
    • https://vexivager.weebly.com/uploads/1/3/4/6/134634122/576357.pdfIn PDF document text
    • https://ralarisum.weebly.com/uploads/1/3/4/0/134040561/popifax-jamexunike-tegugobufox.pdfIn PDF document text
    • https://fadusoga.weebly.com/uploads/1/3/0/7/130739873/zapuwixumakufo.pdfIn PDF document text
    • https://subogepaweb.weebly.com/uploads/1/3/2/3/132302814/likepijepe_damafapuzu_fuxakunuwabu_muxidepawu.pdfIn PDF document text
    • https://xobopeta.weebly.com/uploads/1/3/0/7/130739243/petodudabalit-dipizazujozid-zuzabemutuz.pdfIn PDF document text
    • https://navubepoma.weebly.com/uploads/1/3/5/3/135394012/gitepab.pdfIn PDF document text
    • https://vifazadaza.weebly.com/uploads/1/3/4/8/134883600/rurexusi.pdfIn PDF document text
    • https://mirixenapokep.weebly.com/uploads/1/3/4/8/134853357/7484576.pdfIn PDF document text
    • https://bp-con-esh.com/kcfinder/upload/files/napalemosekegiw.pdfIn PDF document text
    • https://vedalamiru.weebly.com/uploads/1/3/0/7/130776143/7513833.pdfIn PDF document text
    • https://sezorataxij.weebly.com/uploads/1/3/4/6/134600708/83ee0150.pdfIn PDF document text
    • https://jutegonepot.weebly.com/uploads/1/3/4/0/134016653/nafipexekulabitiziw.pdfIn PDF document text
    • https://busajivajikiguv.weebly.com/uploads/1/3/1/3/131384407/vuselofugi.pdfIn PDF document text
    • https://nera.net/css/other/ckeditor/kcfinder/upload/files/23937902381.pdfIn PDF document text
    • https://juxivedalirenew.weebly.com/uploads/1/4/1/5/141512939/037c2c6c.pdfIn PDF document text
    • https://zoxuzuxebexot.weebly.com/uploads/1/3/0/9/130969059/5724392.pdfIn PDF document text
    • https://jomigotub.weebly.com/uploads/1/3/4/7/134748998/maromezarapulum-jiwivimik-duwejisi.pdfIn PDF document text
    • https://refevijo.weebly.com/uploads/1/4/1/5/141513084/6d968e63c0.pdfIn PDF document text
    • https://najiridudubedip.weebly.com/uploads/1/3/7/4/137498874/1561a26.pdfIn PDF document text
    • https://minajekefejuwow.weebly.com/uploads/1/3/0/7/130776819/2503682.pdfIn PDF document text
    • https://mozilazeleta.weebly.com/uploads/1/4/1/5/141587406/bbcb089e.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    +3 more URL(s)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0006be70.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6BE70 11084 bytes
SHA-256: f1ad087518e493ec9120d6bfd6d3f39aa05250a3a2201709c3a3e670f80e2ae5
font_01_sfnt_off0006d82e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6D82E 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off0006f042.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6F042 18624 bytes
SHA-256: 578ede9534c25e0bca1de02f6b5658638fb1efbde61f47fcbd6434b620f58338

Open this report in the interactive analyzer, or submit your own file for analysis.