Malicious PDF — malware analysis report

Static analysis result for SHA-256 fabfee7aab531dc0…

MALICIOUS

PDF

404.8 KB Created: 2022-03-21 18:10:27 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-07-02
MD5: 9bf4e5c5901daab51cdbd79ad482b930 SHA-1: 5b70f3fb68920b5f4c6ba6f29b1aa6064067a654 SHA-256: fabfee7aab531dc01b5e8a9e8f759d4ea5a5646f214b1296e533964e3f07c665
166 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.6269

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://tevav.co.za/XSRYdR1H?utm_term=god+is+not+great+pdf PDF link annotation
    • http://farmaciacogliate.it/userfiles/files/70078110861.pdfIn PDF document text
    • https://djennebeads.com/nbloom/fckuploads/file/xesimasuderugaxopalixaj.pdfIn PDF document text
    • https://markiza-trade.ru/admin/ckfinder/userfiles/files/3308126074.pdfIn PDF document text
    • https://maxflowfans.com/userfiles/file/tesarutefipovewim.pdfIn PDF document text
    • http://ridonhennet.eu/admin/kcfinder/upload/files/48224103865.pdfIn PDF document text
    • https://www.elektrobetrieb-scholz.de/wp-content/plugins/formcraft/file-upload/server/content/files/1621216c76ce02---donixalasevekunepem.pdfIn PDF document text
    • http://riverside.tw/user_upload/files/ruripodi.pdfIn PDF document text
    • https://csodamalom.hu/files/files/43666004868.pdfIn PDF document text
    • https://strings97.hu/userfiles/file/88779541390.pdfIn PDF document text
    • http://bourgogne.annuaire-regional.com/ckfinder/userfiles/files/geloror.pdfIn PDF document text
    • http://nova-auto.com/upload/loxagatawakokafusup.pdfIn PDF document text
    • http://akiyastyle.com/app/webroot/js/ckfinder/userfiles/files/tisuregazipizenepagegi.pdfIn PDF document text
    • https://kicksomeglass.com/wp-content/plugins/super-forms/uploads/php/files/90a7169aef5da733a302c726510601e0/parokupisodan.pdfIn PDF document text
    • https://locoffice.ru/userfiles/file/babaludegupi.pdfIn PDF document text
    • http://rhondachem.com/d/files/77189252734.pdfIn PDF document text
    • https://www.swiftcargo.com/adminlogin/kcfinder/upload/files/71743328649.pdfIn PDF document text
    • https://www.pianoeg.de/admin/ckeditor/kcfinder/upload/files/26573465841.pdfIn PDF document text
    • https://bokaichenyu.com/upload/files/towubokulomowuke.pdfIn PDF document text
    • http://www.mvdisposal.com/wp-content/plugins/formcraft/file-upload/server/content/files/1620d6a7df1d69---260135428.pdfIn PDF document text
    • http://www.fairvalesecondary.co.za/kcfinder/upload/files/samaxijanudiforar.pdfIn PDF document text
    • http://skogsformedling.se/bilder_umeny/File/kotubizomimexozorofu.pdfIn PDF document text
    • https://sgicorp.com/userfiles/files/bamagerako.pdfIn PDF document text
    • https://dbjadow.pl/attachments/file/basipinudajoki.pdfIn PDF document text
    • http://scsytech.com/upload/files/kudesogulepufemakipekuw.pdfIn PDF document text
    • http://elite-nails.pl/Upload/file/lufetijukabexedar.pdfIn PDF document text
    • http://apgicl.com/public/files/assets/ckeditor/kcfinder/upload/files/53888386029.pdfIn PDF document text
    • http://kondicionery-fryazino.ru/upload_picture/file/51091194576.pdfIn PDF document text
    • http://www.medic-pneumolog.ro/fisiere/file/suzawokiwa.pdfIn PDF document text
    • https://lrdreamteam.com/files/files/file/InfoProduct/file/mevafoma.pdfIn PDF document text
    • http://evo-models.com/uploads/userfiles/files/ludimijesivadeg.pdfIn PDF document text
    • http://energo-winstal.pl/userfiles/file/58455518025.pdfIn PDF document text
    • https://static.yulava.es/js/libraries/ckeditor/kcfinder/upload/files/53895428551.pdfIn PDF document text
    • http://studiotecnicoligioni.com/userfiles/files/vaxevagipotisaboli.pdfIn PDF document text
    • http://kalecikliyiz.biz/panel/kcfinder/upload/files/wizap.pdfIn PDF document text
    • http://jpsacademy.com/slbdavbatala/userfiles/file/fukujifilisitudurakojubo.pdfIn PDF document text
    • https://artsketch.ru/wp-content/plugins/super-forms/uploads/php/files/9b5eba5e7c17b3a220c434499f683c17/notuva.pdfIn PDF document text
    • http://sintniklaas.kinderopvangpimpeloentje.be/ckfinder/userfiles/files/30047604295.pdfIn PDF document text
    • https://truyenskyt.com/upload/ckeditor/files/guwiripimu.pdfIn PDF document text
    • http://oxfordjazzkitchen.com/userfiles/file/gutamuwabeboganugunogezo.pdfIn PDF document text
    • http://www.auberdiffusion.com/ckeditor/kcfinder/upload/files/41212160797.pdfIn PDF document text
    • http://spellenindex.nl/images/uploads/gorepiveruterinoruzegeku.pdfIn PDF document text
    • https://bienenaktuell.com/sites/bienenaktuell.com/files/file/72778485040.pdfIn PDF document text
    • http://mextro.de/upload/files/jusopadun.pdfIn PDF document text
    • http://belspelen.nl/admin/kcfinder/upload/files/1952006165.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    +3 more URL(s)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0005e592.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5E592 10664 bytes
SHA-256: 430e5013d5857867f9c5d2199fd650e376eb73c10771f078c81178e3938c64a3
font_01_sfnt_off0005fded.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5FDED 16560 bytes
SHA-256: 924ad5cb737cfd9a34472b2046831991df4d3950e5f0d7b552a18309318c2ee9
font_02_sfnt_off00061508.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x61508 17888 bytes
SHA-256: 3869c73aa2b21d3c991aba1b59eec27bf5eae4d37455d81b2c8b4dc65a335e16