Malicious PDF — malware analysis report

Static analysis result for SHA-256 f9921b01724eadd8…

MALICIOUS

PDF

81.7 KB Created: 2021-08-27 13:19:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-06-13
MD5: 19ce14bf8393389c6e81797a0a833fa1 SHA-1: 37966d0fe55d16b23bd00377e4d6345b355b6c11 SHA-256: f9921b01724eadd8b398a7c27a7ef9f25acb6bb16a39ec33f87087e122d7dd25
164 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9911

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://shmountaineering.co.uk/wp-content/plugins/super-forms/uploads/php/files/465v9rglplg4c9dpk8njsaonf6/donopuwevizedubebi.pdf In PDF document text
    • https://advicezone.org.uk/wp-content/plugins/super-forms/uploads/php/files/oieno1vbl5m0t20ps680e2a2a6/varibikukejasasezopateted.pdfIn PDF document text
    • https://www.fifatravels.com/wp-content/plugins/formcraft/file-upload/server/content/files/160965b6403836---59118876096.pdfIn PDF document text
    • http://westleyden72reunion.com/clients/4/46/469dc9162705cbff2d1fbe132f144f37/File/luzesegapuxetokatak.pdfIn PDF document text
    • https://mosoptagro.ru/wp-content/plugins/super-forms/uploads/php/files/68a1ba1a248c9394ef1bbf02e8da1663/mozutopuvupezimabizo.pdfIn PDF document text
    • http://robfredo.com/userfiles/file/rapojupew.pdfIn PDF document text
    • http://pensacolahigh1964.com/clients/1/1d/1d652d7f5bd5fd2f3712913460b20393/File/34873617714.pdfIn PDF document text
    • http://zoltysnieg.pl/pliki_wyswig/files/fipofusiwemimixeso.pdfIn PDF document text
    • http://nano-vip.com/ckfinder/userfiles/files/16340152775.pdfIn PDF document text
    • http://laptopcuhaiphong.vn/upload/files/90770119696.pdfIn PDF document text
    • http://harmonie-avion.fr/actualite/files/rafuwogemuwozutivirewi.pdfIn PDF document text
    • http://mspchicagolaw.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/waxev.pdfIn PDF document text
    • http://zonweringbelgie.nl/ckfinder/userfiles/files/darunevegarijobo.pdfIn PDF document text
    • http://kassa.pl/userfiles/file/81191918393.pdfIn PDF document text
    • https://ktmcollege.org/public_html/userfiles/file/10098063747.pdfIn PDF document text
    • https://allmassage.net/upload/file/20210620145116.pdfIn PDF document text
    • https://ourlady-schools2.com/userfiles/files/51949959157.pdfIn PDF document text
    • http://chagatea.ru/wp-content/plugins/super-forms/uploads/php/files/e765e441987e7a79a06801c41a580e62/10347208717.pdfIn PDF document text
    • https://cafemocion.com/userfiles/file/1759177373.pdfIn PDF document text
    • http://maschimaurizio.it/userfiles/files/wokufasisulu.pdfIn PDF document text
    • https://www.booster-p.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608f9882e5d5c---9317059740.pdfIn PDF document text
    • https://transcendenceit.com/wp-content/plugins/super-forms/uploads/php/files/d227d5e8243d789fce1584e6bbecd7b2/mugigajawa.pdfIn PDF document text
    • https://bechtoldpaving.com/wp-content/plugins/super-forms/uploads/php/files/fa28b11cae21a8c425537f33911f5742/19775469688.pdfIn PDF document text
    • http://blossomtour.net/FileData/ckfinder/files/20210725_8BA14EB3471FCA40.pdfIn PDF document text
    • https://malimbe.africa/wp-content/plugins/super-forms/uploads/php/files/f96f8dfeb45e303a0064d34aca22e9de/14464383254.pdfIn PDF document text
    • http://sharise.net/Uploadfiles/files/67468586090.pdfIn PDF document text
    • https://dynasty888.com/image/files/20210728_020308.pdfIn PDF document text
    • http://magicdiscoradio.hu/userfiles/file/66822974894.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/A3Ryygt5BCM/uplcv?utm_term=five+nights+in+anime+visual+novel+downloadPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000da5f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDA5F 10824 bytes
SHA-256: 6e3c2930014cf1bab38c8c6209fbdf3bcb3e63abd9c284be934c2b8abe0826b7
font_01_sfnt_off0000f2ff.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF2FF 17428 bytes
SHA-256: f4d911d10598f7384bf9feaf93a5041f8fa032cdf48a7dfa7af069bdea66c8f1
font_02_sfnt_off00012075.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12075 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1