PDF malware analysis — malicious · f87581dcb900e0bc

MALICIOUS

PDF

155.8 KB Created: 2022-02-03 12:46:14 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-06-17

MD5: 94c7dd5bad267514de5fbb9a9fb948df SHA-1: c076d05b27cd90cd857cdcbd085757c75c163d00 SHA-256: f87581dcb900e0bc01a902263cd24faa2cc751604c3ff9068bbca938019aacea

156 Risk Score

Machine Learning

Nyx PDF Classifier malicious score 0.8502

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://mifuj.co.za/XSRYdR1H?utm_term=casio+alarm+chrono+wr+lithium+manual PDF link annotation
- https://www.akita-tourism.com/assets/admin/plugins/kcfinder/files/gagiwaputezibi.pdfIn PDF document text
- https://elmawadah.com/userfiles/file/tetironawipezidezepajiwoz.pdfIn PDF document text
- http://audiomaster.se/wp-content/plugins/formcraft/file-upload/server/content/files/161b42568b9d36---11529540999.pdfIn PDF document text
- http://bippex.com/filespath/files/20210820130227.pdfIn PDF document text
- https://limsurempat.com/contents//files/nukusilomuzipefexesefesa.pdfIn PDF document text
- http://avrig35.ro/uploads/fck_editor/file/vigimivogiduxid.pdfIn PDF document text
- https://bdaudit.ro/userfiles/file/19496323043.pdfIn PDF document text
- http://konakelektrik.com/userfiles/file/vufukase.pdfIn PDF document text
- http://steelbo.com/uploads/admins/u0/files/20211120223013.pdfIn PDF document text
- https://www.coconutlodge.com/wp-content/plugins/formcraft/file-upload/server/content/files/16198c62e5dbbf---9197497898.pdfIn PDF document text
- http://szm.hu/userfiles/file/kibujakulekejeriradis.pdfIn PDF document text
- http://bekkercoon.ru/ckfinder/userfiles/files/sugiso.pdfIn PDF document text
- https://skyfireconsulting.com/wp-content/plugins/super-forms/uploads/php/files/2c585kp1fss4l7epj0kt0j3lt3/jisojipivujepupubur.pdfIn PDF document text
- http://podlahyadvere.sk/editor_uploads/system/files/96058470191.pdfIn PDF document text
- http://saintthomassolapur.org/admin/kcfinder/upload/files/66397853704.pdfIn PDF document text
- https://servauto.fr/img/user/file/pifewoporesurejod.pdfIn PDF document text
- https://bloc-immo.com/images/69489756694.pdfIn PDF document text
- https://icicle-mountaineering.ltd.uk/ckfinder/userfiles/files/75487023408.pdfIn PDF document text
- http://besteva.com/upload/files/jowunesufafugalowozov.pdfIn PDF document text
- https://sandalyecenneti.com/wp-content/plugins/super-forms/uploads/php/files/ubkomb2resdk58fflsjrv17ra9/691900051.pdfIn PDF document text
- https://bhsbeacon.com/FCKeditor/file/31359700084.pdfIn PDF document text
- https://www.mountainhawktrek.com/assets/kcfinder/upload/files/4411990008.pdfIn PDF document text
- https://emotionalgift.youngzonejewelry.com/ckfinder/userfiles/files/gorobeza.pdfIn PDF document text
- https://divinenine.net/userfiles/file/xozadokalobulevuw.pdfIn PDF document text
- http://www.gastroblanik.cz/upload/files/50672872438.pdfIn PDF document text
- http://www.winnicajanowice.pl/kcfinder/upload/files/39013899610.pdfIn PDF document text
- http://danceaction.be/userfiles/file/96828508993.pdfIn PDF document text
- http://king-ber.com/UploadFiles/file/20210922000950224.pdfIn PDF document text
- https://oancora.com/ckfinder/files/81086877190.pdfIn PDF document text
- http://zvezda-rostov.ru/ckfinder/userfiles/files/senozidi.pdfIn PDF document text
- http://mgbig.com/upload_fck/file/2021-11-4/20211104075202463631.pdfIn PDF document text
- http://standartbio.com/fckfiles/file/87106133139.pdfIn PDF document text
- https://samuelben-horin.com/userfiles/file/18437073915.pdfIn PDF document text
- https://minlinart.com/archive/upload/files/tunazosituve.pdfIn PDF document text
- http://michael-dhom.com/webseiten/file/87119346989.pdfIn PDF document text
- http://educasters.co/ckfinder/userfiles/files/kunik.pdfIn PDF document text
- http://rlangkhan.com/upload/userfiles/files/32830225378.pdfIn PDF document text
- http://mylead.mandiricareer.net/contents/files/32328177074.pdfIn PDF document text
- http://urduhadith.org/survey/userfiles/files/ritizizadijax.pdfIn PDF document text
- https://www.dentaltaxpros.com/wp-content/plugins/super-forms/uploads/php/files/b9b0b0a378729871a01ac7a9533512ef/70960369922.pdfIn PDF document text
- https://phu-komplex.pl/pliki/file/malimikegevuwixomozi.pdfIn PDF document text
- https://dvg.asia/ckfinder/uploadfiles/files/66448958525.pdfIn PDF document text
- https://behbehaniprojects.com/uploads/files/9764867296.pdfIn PDF document text
- https://bolahijau.com/contents/files/45596795322.pdfIn PDF document text
- http://www.injamal.es/nueva/ckfinder/userfiles/files/35114205673.pdfIn PDF document text
- http://cgt-fo-csc.fr/wp-content/plugins/formcraft/file-upload/server/content/files/161c1252d3f36d---49223101152.pdfIn PDF document text
- https://christianboudreau.com/wp-content/plugins/formcraft/file-upload/server/content/files/16105663f2c0dc---37112202477.pdfIn PDF document text
- https://whitesal.com/data/images/file/5524_20210713045032.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
+7 more URL(s)

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0001ed3c.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1ED3C	10580 bytes
SHA-256: `18139d1bb4b1e433d34fb4fe97f96269b95d3e7e4e3f881af2603f7d84952f56`
`font_01_sfnt_off00020546.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x20546	16560 bytes
SHA-256: `924ad5cb737cfd9a34472b2046831991df4d3950e5f0d7b552a18309318c2ee9`
`font_02_sfnt_off00021c61.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x21C61	21396 bytes
SHA-256: `23f8744d8028569c59ec95f3ce46664cbbeacae7613339c42ad2feacbfe6a73d`
`font_03_sfnt_off0002504a.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x2504A	3212 bytes
SHA-256: `5dcebad2e0e30d26c25f556b6f045b14fe59fe20bcb636275f4b44001893bb59`

Open this report in the interactive analyzer, or submit your own file for analysis.