PDF malware analysis — malicious · 09f461556e4edbdb

MALICIOUS

PDF

117.9 KB Created: 2021-02-19 04:53:41 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-05

MD5: a8602537d2c0dae49c52e48a536e6fbe SHA-1: c8dfd473400422d16ee8d2b2e67e3218ee3e36e8 SHA-256: 09f461556e4edbdb13c87b13b418d3b411ccc0e8f64b334208a31d86e9edfac9

184 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains multiple embedded links, with a critical heuristic firing indicating redirection to known malicious infrastructure via the URL https://crophysi.ru/strik. The ML classifier also strongly flagged this PDF as malicious. The document body is heavily obfuscated, but the presence of links and the heuristic firings suggest a phishing or redirection attempt, likely to deliver a secondary payload or lead the user to a malicious site.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://crophysi.ru/strik?utm_term=the+maker%2527s+diet+revolution+reviews In PDF document text
- https://static.s123-cdn-static.com/uploads/4407781/normal_5fe18afec3549.pdfIn PDF document text
- http://vovpomnim.ru/tejedopiwufewavidafemamuswytxa.pdfIn PDF document text
- http://xugerovogubex.22web.org/fur_elise_sheet_music_clarinet_easy.pdfIn PDF document text
- https://cdn.sqhk.co/busibelifiv/mhggd7N/54510387665.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4476567/normal_5fc641f8e354c.pdfIn PDF document text
- http://biggymstoe.com/candle_light_dinner_new_punjabi_songez6ce.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4382619/normal_602efd0192741.pdfIn PDF document text
- https://sevafigetof.weebly.com/uploads/1/3/4/9/134902911/6399753.pdfIn PDF document text
- http://tryse.xyz/chicken_wings_nutritional_informationzcgir.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4475397/normal_5ff2ba5021db5.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4415321/normal_601e5ef02e99c.pdfIn PDF document text
- http://rubyshup.space/19139581176bjnce.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://sevawudefogu.rf.gd/abcd_2_movie_songs_ringtones_free.pdfIn PDF document text
- http://newubopuga.epizy.com/freelance_website_design_contract_template.pdfIn PDF document text
- https://s3.amazonaws.com/zesotat/a_villain_movie_songs_free.pdfIn PDF document text
- https://s3.amazonaws.com/muxegeza/ximisu.pdfIn PDF document text
- http://vigiraporonom.rf.gd/88819924211.pdfIn PDF document text
- https://s3.amazonaws.com/petubapizo/mebudedekajufutuninuro.pdfIn PDF document text
- https://s3.amazonaws.com/paxuvagal/adherence_performance_meaning.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000191a1.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x191A1	5264 bytes
SHA-256: `7224c6052ea245db2afc7595259f6d2de7208a6e4727d711e35affbde9e8396b`
`font_01_sfnt_off0001a373.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1A373	11472 bytes
SHA-256: `b795552e59caab49121b856d1a47bffffa487da2182cd7217f2b311646f426a8`

Open this report in the interactive analyzer, or submit your own file for analysis.