Malicious PDF — malware analysis report

Static analysis result for SHA-256 0113be88ae183ca4…

MALICIOUS

PDF

45.5 KB Created: 2020-10-07 08:07:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-05-28
MD5: 1b1e7dff4d010097474aa22428d9faec SHA-1: 50d3ea6ea02e3cadcc3bb58a5c46000748c0d126 SHA-256: 0113be88ae183ca4ea518d77e1ec34b2093d1ec7d4faff55c010f8c8afda8a51
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/strik?keyword=candy+crush+gold+bars+for+free In PDF document text
    • https://site-1037178.mozfiles.com/files/1037178/patatuwezesiwetozurupite.pdfIn PDF document text
    • https://site-1038541.mozfiles.com/files/1038541/13678297537.pdfIn PDF document text
    • https://site-1037129.mozfiles.com/files/1037129/panemavutonejanexi.pdfIn PDF document text
    • https://site-1036997.mozfiles.com/files/1036997/75986795939.pdfIn PDF document text
    • https://site-1048222.mozfiles.com/files/1048222/rezux.pdfIn PDF document text
    • http://www.ascendercorp.com/In extracted file (font_00_sfnt_off00006580.bin)
    • http://www.ascendercorp.com/typedesigners.htmlIn extracted file (font_00_sfnt_off00006580.bin)
    • http://www.daltonmaag.com/In extracted file (font_02_sfnt_off00009a67.bin)
    • https://cdn.shopify.com/s/files/1/0484/6164/3930/files/juvenile_green_tailed_towhee.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0435/8642/0893/files/daminibujo.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0486/0333/2766/files/the_universe_secrets_of_the_sun_video_worksheet.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0497/9225/4105/files/71226070995.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fcf90f3d-9c1c-44ee-9a4e-6e55d6af4163/5638587108.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/511f251b-ec77-457c-9b52-df03f54fdb95/lobipuvelewola.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0b83da0a-2a08-4065-9859-9f563e536261/55629629751.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f8f76d7f-2a7f-4d86-9ab9-de38f1c69a95/lixado.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e92326b1-f8a4-4d3d-99b6-c26860aadd91/zijagi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7ae350d8-258b-4a3d-aacf-0e50d4308d6c/gusosutujofa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a17068c8-b80b-46b0-8ed8-42ad57b5fdf6/15887419949.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/97142168-cbee-44f1-bdff-5b7712353e6a/56230072443.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/164e9a3b-0c0f-4d3f-a227-079c611f82cd/kirevolul.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9e9f5f8f-3608-4d6f-8e7e-06a3674e1bb4/5385671788.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn extracted file (font_00_sfnt_off00006580.bin)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006580.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6580 5304 bytes
SHA-256: 4fe9e91856adf3f83c41c79f96bf4f98befd534b88a0e3b14d44d0da782c53df
font_01_sfnt_off0000777d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x777D 10204 bytes
SHA-256: 11d1a46e7cfb6a1451efe768d454d50f962a31dc5fa8dba4430e8b64400eea71
font_02_sfnt_off00009a67.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9A67 4324 bytes
SHA-256: 05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176