Malicious PDF — malware analysis report

Static analysis result for SHA-256 fffad6637fcf509c…

MALICIOUS

PDF

92.9 KB Created: 2021-07-06 00:47:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-06-05
MD5: 390a9fd06d6f4cdb7a958c9941a140ce SHA-1: 86322010981544f7c7d6443ad9d4accb760cc986 SHA-256: fffad6637fcf509c140f2aa01ebb4c32309b4ccc459eff8cbfe20036604bee45
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.001 User Execution: Malicious Link

The file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. Heuristics identified it as a link farm pointing to compromised CMS uploads and disposable hosting, suggesting a phishing or malware distribution scheme. The embedded URLs, while numerous, do not provide direct executable content, but rather redirect to external sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9840

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.ediliziaindustriale.com/wp-content/plugins/formcraft/file-upload/server/content/files/160771ff54612b---xorugonujona.pdf In PDF document text
    • https://insights3.com/wp-content/plugins/super-forms/uploads/php/files/dd147a8d5ff32a9a7b2873837d68fc2d/kalemijiveledona.pdfIn PDF document text
    • http://adamlegal.com/userfiles/file/13712846049.pdfIn PDF document text
    • http://banghetretruc.com/media/ftp/file/vibosizanoxetebivuv.pdfIn PDF document text
    • http://www.predoisiasociatii.ro/wp-content/plugins/formcraft/file-upload/server/content/files/1608b55a566eb3---pemomuzutuxupi.pdfIn PDF document text
    • http://mooneyes.pl/userfiles/file/nifigibuxalifenowi.pdfIn PDF document text
    • https://goldengrowers.com/wp-content/plugins/super-forms/uploads/php/files/5b13c48a106877c32f2b665b82bcf5a6/mavazikigabejowe.pdfIn PDF document text
    • http://hi-reid-solutions.com/wp-content/plugins/super-forms/uploads/php/files/43390fab12ec504066ebc2cb9b26bba9/penebeveti.pdfIn PDF document text
    • http://www.johnrealestate.in/ckeditor-ckfinder-integration/uploads/files/48921691501.pdfIn PDF document text
    • http://afghansolar.com/userfiles/file/wagugapexobaw.pdfIn PDF document text
    • http://english-life.ru/wp-content/plugins/formcraft/file-upload/server/content/files/16072dc20e83e4---xumuvij.pdfIn PDF document text
    • http://www.191seo.com/wp-content/plugins/formcraft/file-upload/server/content/files/160cf34101183c---vaxukagisezowesemalowiwit.pdfIn PDF document text
    • https://www.popcaffe.it/wp-content/plugins/super-forms/uploads/php/files/dac6532b8ee2d4bab6a9967299087122/rodiserufoxisaf.pdfIn PDF document text
    • http://www.miamiairportlimo.net/wp-content/plugins/formcraft/file-upload/server/content/files/16098361335b0d---3219699215.pdfIn PDF document text
    • http://chagatea.ru/wp-content/plugins/super-forms/uploads/php/files/82e6492888df4f29ca44a4fa3dae43fa/natadawaje.pdfIn PDF document text
    • http://amctop.com/board_data/editor_img/file/202107021944.pdfIn PDF document text
    • http://www.buildingmalawi.com/images/uploaded/documents/buxivokominawupifesazup.pdfIn PDF document text
    • http://humanitool.ru/userfiles/file/nerunibilotojetime.pdfIn PDF document text
    • http://trackeg.com/en/wp-content/plugins/formcraft/file-upload/server/content/files/160b0d08fc7334---fobomoxujizajuwi.pdfIn PDF document text
    • https://tuabogadoangel.com/wp-content/plugins/super-forms/uploads/php/files/17927414ebbdd632f9b8b67f07b17610/dibuvivowubudunedibanijit.pdfIn PDF document text
    • http://stroynerud-sm.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160c178b7c5e2a---taxufo.pdfIn PDF document text
    • https://rhythmcprandfirstaid.com/wp-content/plugins/super-forms/uploads/php/files/5ec274276f855c6a1ca91650ed303e44/lorulumewagabelititipuwi.pdfIn PDF document text
    • https://www.frankreich-ferien.ch/wp-content/plugins/formcraft/file-upload/server/content/files/160a3f3ec47b81---32223927041.pdfIn PDF document text
    • https://misionesmedellin2030.com/wp-content/plugins/super-forms/uploads/php/files/6a3e90al7n6vsp0n64npshqugk/61308113276.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/ngfLrbzwjls/uplcv?utm_term=yellow+bellied+lily+liveredPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0000fd0b.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xFD0B 22760 bytes
SHA-256: 1c1f90b1ff77bd548cd325bf9ca6baa0b2f97dca1d63e0f37075cd45b1f4ace5
font_00_sfnt_off0000ce6a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCE6A 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0000e681.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE681 10096 bytes
SHA-256: 7e6c53ba418f0e31a03124ae6fb810d026bee63c433071d1e3e305cc6d27b7bc
font_03_sfnt_off00012432.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12432 20648 bytes
SHA-256: a959121c0f9b6d13e246dd0ddbb7c6ced364326d2284c4b744515ff6858ac6fd
font_04_sfnt_off0001595c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1595C 2868 bytes
SHA-256: 77f7f946615a41fa6e30b4abafbfe3539aa907697fe20d3c066084cb50c4607c