Malicious PDF — malware analysis report

Static analysis result for SHA-256 0565cb9d625476fe…

MALICIOUS

PDF

38.0 KB Created: 2020-09-06 17:21:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-05
MD5: 2ed2805268d6bc0bfc3209d5e05da067 SHA-1: 15c33d6f2c45fd2b0c72999ba4cf95cc899b75b8 SHA-256: 0565cb9d625476fecc75ef30fa3888e3723717cd12f49194bd963944e5dd6da5
192 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains embedded links that point to a known malicious redirector, identified by the 'PDF_MALICIOUS_REDIRECTOR_LINK' heuristic. The document body, though heavily obfuscated, contains text suggesting it is a 'Dota 2 juggernaut item guide', which is likely a lure to encourage users to click the malicious link. The presence of numerous external PDF links also indicates a link farm strategy, common in SEO-based phishing campaigns.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=dota+2+juggernaut+item+guide In PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://static.usrfiles.com/ugd/76156b_b9afcfdfa4a64a47b5789754aa583578.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/90d19e_5a8dc4954d6d4d31b8f41c02718d4d46.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/9b33c5_c4986956b76543a2b58b998ccdf325c1.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/e4a001_eb03e56df2334f6e97bf622c79b73611.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0437/9177/7949/files/31845275756.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0431/5149/1233/files/48966277954.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0439/5086/6590/files/exception_handling_program_in_java.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0431/5663/5816/files/zabukosapijupila.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0434/5007/3240/files/att_router_page.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/3eed2b_7d407ac30ba24c6a9fe26096f42b9312.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/035627_c0563af79f6f478dbb1ddc18a73730cc.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0431/0768/0423/files/31801478839.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0430/4578/1665/files/6481244679.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000662c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x662C 5140 bytes
SHA-256: bd4beab29f22154aef6e56ff3bec3c454d0124e3fcbdd45abf7ab5dd98a5061d
font_01_sfnt_off000077a1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x77A1 9852 bytes
SHA-256: d36a0963c447798342e9c6468aac80d257debe8bb9fae80ebd831c9813bae9b9