KHTML is an outdated linux KDE implementation. It's possible Konqueror still uses it. Search for KHTML

AppleWebKit is, of course, a common web browser engine.

Did you look at hits immediately after the no-browser instances? A quick skim over here shows what appear to be phone-related four-hit sets:

Example A - Australia - subsequent seconds:
1.) /
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko)
2.) /apple-touch-icon-precomposed.png
Safari/18615.2.9.11.10 CFNetwork/1408.0.4 Darwin/22.5.0
3.) /
Mozilla/5.0 (iPhone; CPU iPhone OS 16_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.4 Mobile/15E148 Safari/604.1
4.) /apple-touch-icon-precomposed.png
Safari/15613.3.9.1.16 CFNetwork/1128.1 Darwin/19.6.0 (x86_64)

Example B - Florida - subsequent seconds:
1.) /
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko)
2.) /apple-touch-icon-precomposed.png
Safari/15613.3.9.1.16 CFNetwork/1128.1 Darwin/19.6.0 (x86_64)
3.) /
Mozilla/5.0 (iPhone; CPU iPhone OS 14_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0 Mobile/15E148 Safari/604.1
4.) /apple-touch-icon-precomposed.png
Safari/18615.2.9.11.10 CFNetwork/1408.0.4 Darwin/22.5.0

No clue as to the rapid file redundancy plus four UA changes on the fly. Collecting favicons and such for iCloud-connected bookmarks?

I will have a look at what hits happened around the same time. The phenomena I describe below was gleaned from logs where I was looking for hits from a specific IP neighborhood - no such UA-changing is happening from the same IP and no other hits from the neighborhood.

I was going to post the following as a new thread, but since it features this same UA without a browser, I'll tack this on here. I'm seeing an odd file-request pattern from the same IP. The file being requested is a pdf (about 250 kb).

The request happens as 7 individual, sequential requests. Six of these are http code 206 (requesting part of the file) but one is a 200 (requesting the entire file). The 6 requests for part of the file are always requesting the same byte-size sequence, in KB the sequence is 1, 0 (yes - zero), 16, 2, entire file, 136, 32. This happens over the course of a few SECONDS.

I believe that when someone views a PDF file in a browser window, the browser will usually download chunks of the file as the user scrolls through the document, hence the HTTP partial file request (code 206). What I can't figure out here, is why am I seeing this same sequence of partial requests happening from the same IP on different days?

Twice in January, 6 times in June, 6 times in July, and so far 4 times this month. There was one request in June that was actually a 304. (?)

Always the same user-agent:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko)

No referrer, and no request for favicon.ico (I often see a request for a pdf file paired with a request for favicon). No previous hits from this IP or the /16 neighborhood. No browsing of my actual website - these are direct hits to the same PDF file.

The extended response headers contain this:

application/xhtml+xml
application/xml;q=0.9
*/*;q=0.8
en-US
en;q=0.9
gzip, deflate, br

Is this someone that keeps multiple tabs open, and each time they restart their browser all content is re-downloaded - instead of cached?

The IP is 67.6.98.X (67-6-98-x.clma.centurylink.net). I have issues in general with some centurylink hits, I think some of their IP's are used as a VPN or web proxy.