Malicious PDF — malware analysis report

Static analysis result for SHA-256 0044f6fd4ce8b2a5…

MALICIOUS

PDF

33.6 KB Created: 2020-11-05 16:43:50 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-04
MD5: 37e5dfed59d956cf73b1441963992c66 SHA-1: ca6184c8c467c81eb36cee5ab1cd3b46461cf15f SHA-256: 0044f6fd4ce8b2a5dc62d9e47847792dd19790b22a38cf1cd89daeb5928e03c0
74 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains heuristics indicating it's a lure for free downloads, using an SEO redirector to a suspicious URL. The document body, though heavily obfuscated, contains the same suspicious URL. The ML classifier also flagged the PDF as malicious. No scripts were extracted, but the presence of external links and the nature of the heuristics suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 3

  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffe.ru/aws?keyword=dissidia+opera+omnia+artifact+guide PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4366622/normal_5fa3667cd6984.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4374366/normal_5f8f29f443852.pdfIn PDF document text
    • https://radisowe.weebly.com/uploads/1/3/4/3/134366404/gexuton_juguduxu_rururavigumixor_nowiloza.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/mogelebolep/wiiflow_latest_version_download.pdfIn PDF document text
    • https://s3.amazonaws.com/gupawupigawono/cheat_codes_for_cashman_casino.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1856e413-a2a3-4ab8-a000-29c40dd91760/75297844854.pdfIn PDF document text
    • https://s3.amazonaws.com/subud/advantages_and_disadvantages_of_educational_technology.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b689355c-0ecb-4387-9007-d3db5f9cd2f7/juegos_de_un_show_mC3A1s.pdfIn PDF document text
    • https://s3.amazonaws.com/tanikanaw/24450333767.pdfIn PDF document text
    • https://s3.amazonaws.com/gapivegek/zimeritulat.pdfIn PDF document text
    • https://s3.amazonaws.com/toliwudalamem/indigenous_literature.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006b4c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6B4C 5440 bytes
SHA-256: 662a5d9b2f5a7f503ede43e8bee9c042c635971ad7b68a7397e36d950f79e9e2