Malicious PDF — malware analysis report

Static analysis result for SHA-256 09a21a590c4091f6…

MALICIOUS

PDF

16.1 KB Created: 2020-10-31 01:44:49 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-05
MD5: 5143f872d03f30c2c45cae7d41e25ac0 SHA-1: bb05e4978cc3392a20fb7d612afe05b445e347f0 SHA-256: 09a21a590c4091f69149522d5b16318f63829179c5802c4e0031ee22e2a298f9
192 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a link farm and a redirector URL, indicating a phishing or scam attempt to lure users to a malicious site. The ML classifier strongly flagged this PDF as malicious. The presence of numerous links, including one to a known malicious redirector, suggests the primary goal is to drive traffic to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9956

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/pify?keyword=android+docking+speaker In PDF document text
    • https://cdn-cms.f-static.net/uploads/4368949/normal_5f8a735d2afcd.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4371005/normal_5f8a82d8f17b1.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4380680/normal_5f9ca0caace6c.pdfIn PDF document text
    • https://bujupovira.weebly.com/uploads/1/3/4/4/134472582/bejikezigami_gilomalulexabip.pdfIn PDF document text
    • https://s3.amazonaws.com/mijedusovineti/6978687977.pdfIn PDF document text
    • https://s3.amazonaws.com/baxunaf/dinijerufujix.pdfIn PDF document text
    • https://s3.amazonaws.com/tesodagiwor/96729442826.pdfIn PDF document text
    • https://s3.amazonaws.com/zetare/speak_business_english_like_an_american_vk.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e7932124-c788-484b-aea0-1e6ef51f908f/mivapigijejafuxatovul.pdfIn PDF document text
    • https://s3.amazonaws.com/gajabedafot/63759176613.pdfIn PDF document text
    • https://s3.amazonaws.com/xoxaneral/garmin_echomap_73sv_on_the_water.pdfIn PDF document text
    • https://s3.amazonaws.com/liwafo/rijerukupiwedoperu.pdfIn PDF document text