Malicious PDF — malware analysis report

Static analysis result for SHA-256 e14ee03804bb5158…

MALICIOUS

PDF

71.3 KB Created: 2021-05-28 12:43:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-05
MD5: 517f40fa6095b6a17371a244f0c82209 SHA-1: 7a739c759a7e74590a57cc0c57d71fe545d4cd04 SHA-256: e14ee03804bb51589bb7ec1ce35cdc5ec4ba873e908910131db9fa4fe5da9f99
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was detected as malicious by ClamAV and ML classifiers, indicating a high likelihood of malicious intent. It contains numerous external links, many pointing to compromised WordPress sites, suggesting it functions as a link farm to distribute phishing content or further malware. The presence of these links and the overall detection score strongly suggest a spearphishing attachment attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7805

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://garglob.ru/uplcv?utm_term=kabbalah+el+poder+de+cambiarlo+todo+pdf+gratis PDF link annotation
    • https://laxmigrouppune.com/wp-content/plugins/super-forms/uploads/php/files/2d4f9b21e85e9a5ec872aeb317e9f94a/razapavot.pdfIn PDF document text
    • http://indiebookoftheday.com/wp-content/plugins/formcraft/file-upload/server/content/files/16095aaf2e0f0d---pagekinapikuvu.pdfIn PDF document text
    • http://ne-moloko.ee/wp-content/plugins/super-forms/uploads/php/files/639ffee962930361c008559b75dc779f/nuxowipuvinabitirizaxur.pdfIn PDF document text
    • https://mymango.ru/wp-content/plugins/super-forms/uploads/php/files/0c3ee2505c1a5b2739727d06240f31ed/11329699902.pdfIn PDF document text
    • http://www.thelawchamber.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ad88b891f35---mejelagoxagisomukobile.pdfIn PDF document text
    • https://adbetelparaguay.com/wp-content/plugins/super-forms/uploads/php/files/917319fd14426a0ed8ea799a4671aeff/44738528080.pdfIn PDF document text
    • http://www.etoiles-recrutement.com/wp-content/plugins/formcraft/file-upload/server/content/files/16089da7d62473---36709198795.pdfIn PDF document text
    • https://afd.me.uk/wp-content/plugins/super-forms/uploads/php/files/p0sp9rogva4clodp0ft0kaev6c/wegasotenudijofiluturobul.pdfIn PDF document text
    • http://vipavtoufa.ru/wp-content/plugins/super-forms/uploads/php/files/16660936d886fe696b5e6889176ad5d6/29089913652.pdfIn PDF document text
    • https://www.fifatravels.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a921c35db16---xegudosozifomumipelu.pdfIn PDF document text
    • http://www.radioemka.com/wp-content/plugins/formcraft/file-upload/server/content/files/16096af837bab1---5544510498.pdfIn PDF document text
    • http://bridgesonthepark.com/wp-content/plugins/formcraft/file-upload/server/content/files/16084cd0896268---87315944983.pdfIn PDF document text
    • https://gamletaarnhuset.no/wp-content/plugins/formcraft/file-upload/server/content/files/1609a9cc10c205---forozukoturibek.pdfIn PDF document text
    • http://audiomaster.se/wp-content/plugins/formcraft/file-upload/server/content/files/1607537524f6a1---56542703803.pdfIn PDF document text
    • http://akcjonariusz.com/UserFiles/file/78096975360.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000df8a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDF8A 5360 bytes
SHA-256: f9f7ed2ab058ce6e355ce3dedab461c2f5bdb4196c1c659ceef99a65ac231305
font_01_sfnt_off0000f1c0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF1C0 12376 bytes
SHA-256: 40292d4688270ca59eea51bcb6616a2dceff74d746a4d36e9feeb4c4bda155ce

Open this report in the interactive analyzer, or submit your own file for analysis.