Malicious PDF — malware analysis report

Static analysis result for SHA-256 e7cffe59397a1dde…

MALICIOUS

PDF

348.9 KB Created: 2022-03-11 22:47:20 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-05-27
MD5: dfe48f7563665605fd55e30ccd7f916e SHA-1: ca60dffded05a286884777e919e37eda21bb78fe SHA-256: e7cffe59397a1dded40be93505c52beab223055f414ab8f14fb2d7468b05c7e0
214 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.6543

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://loheb.co.za/XSRYdR1H?utm_term=harry+potter+2010+dual+audio+720p PDF link annotation
    • https://www.yukule.com/ToBeDeleted/admin-assets/js/ckeditor_4.6.2_standard/kcfinder/upload/files/47186669305.pdfIn PDF document text
    • https://xtremefitksa.xbodyksa.com/ckfinder/userfiles/files/diwejuvolal.pdfIn PDF document text
    • https://posetili.ru/userfiles/file/21087168869.pdfIn PDF document text
    • http://shbaicun.com/userfiles/file/2022030323202373499.pdfIn PDF document text
    • http://es-umzuege-transporte.de/wp-content/plugins/super-forms/uploads/php/files/ce64ca3e66172d2cfc3b0ada89934053/59611137999.pdfIn PDF document text
    • http://www.chinahkcarplate.com/wp-content/plugins/formcraft/file-upload/server/content/files/162103e354e3dc---20988298128.pdfIn PDF document text
    • http://tuzoltosagmihald.hu/userfiles/file/xamigipabarixuluzutabe.pdfIn PDF document text
    • https://easypayindia.in/userfiles/file/jolexu.pdfIn PDF document text
    • https://furedgym.webtarhely.org/webroot/upload/files/dudoran.pdfIn PDF document text
    • https://poloszita.hu/admin/kcfinder/upload/files/64886790459.pdfIn PDF document text
    • https://www.americanapi.com/wp-content/plugins/formcraft/file-upload/server/content/files/1620d869611a38---54354229687.pdfIn PDF document text
    • https://kinhdoanhvaphapluat.com/img-dn/files/begaluv.pdfIn PDF document text
    • http://app0.linkeo.it/ckfinder/userfiles/files/jobuzix.pdfIn PDF document text
    • http://xn-----6kcftbqgtghjv5bf5gydg7b.xn--p1ai/files/files/23292749857.pdfIn PDF document text
    • http://stopguepes72.fr/userfiles/file/novepalipurapogowiw.pdfIn PDF document text
    • https://stthomasorthodoxchurchsouthpampady.com/userfiles/file/24378537694.pdfIn PDF document text
    • https://farmaciasacoor.com/site/upload/file/75791203798.pdfIn PDF document text
    • http://livestocksaltlicks.com/ckeditor/kcfinder/upload/files/mukijulejesejoxofo.pdfIn PDF document text
    • http://macierz-grodziec.org/files/file/65542240248.pdfIn PDF document text
    • https://www.harnoordesigns.com/wp-content/plugins/super-forms/uploads/php/files/df0e539c7d496bbdbbfa7ee0c36f90c6/napivuxemum.pdfIn PDF document text
    • http://portalpr-b2b.es/img/user//file/_0978672001643975737.pdfIn PDF document text
    • http://svazekobciorlice.cz/userfiles/file/99227558080.pdfIn PDF document text
    • http://hart-metale.pl/gimnazjum/userfiles/file/6341221637.pdfIn PDF document text
    • https://kristaldicarlo.com/userfiles/file/wudenipowizadoxuvub.pdfIn PDF document text
    • http://kochamsushi.pl/UserFiles/file/94735101450.pdfIn PDF document text
    • http://www.sman1batusopang.sch.id/asset/kcfinder/upload/files/90457090764.pdfIn PDF document text
    • https://lorrainezammit.com/files/file/90837211166.pdfIn PDF document text
    • http://asupuro.com/upload/save_image/files/29304019175.pdfIn PDF document text
    • http://germainelecocq.it/userfiles/files/rufogaz.pdfIn PDF document text
    • https://www.hungryalex.com/wp-content/plugins/super-forms/uploads/php/files/234d98d4b677fd156bec92edf698be99/41720921553.pdfIn PDF document text
    • http://wamaeassociates.com/images/uploads/originals/file/jufazasajagogika.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn extracted file (font_00_sfnt_off00050023.bin)
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn extracted file (font_00_sfnt_off00050023.bin)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00050023.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x50023 19972 bytes
SHA-256: 07668c91f14439611003eebdc5fe403766b3c1128114d1005cd3629019742d58
font_01_sfnt_off000532c7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x532C7 10664 bytes
SHA-256: 05919e5593bf128421b006da98947a0d6e52f956c90c60c574c2ae0fc5b77c81
font_02_sfnt_off00054b6b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x54B6B 16560 bytes
SHA-256: 924ad5cb737cfd9a34472b2046831991df4d3950e5f0d7b552a18309318c2ee9