Malicious PDF — malware analysis report

Static analysis result for SHA-256 0e0ec4b068ddcaea…

MALICIOUS

PDF

88.5 KB Created: 2021-03-18 20:53:26 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-04
MD5: 102d6961fdf72674b7e66bd6cbba7fbc SHA-1: 9be433f2f2a922f2fcebef4880b6b3d62f03fc20 SHA-256: 0e0ec4b068ddcaea261fba4d8428c3030430d381951ed61211d5d9db156a6c84
66 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/wix?keyword=vw+golf+1.9+tdi+manual+pdf PDF link annotation
    • http://shop-kid-toys.online/anabolic_steroids_athletic_performance8zdnx.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4417815/normal_5fd1440e265a8.pdfIn PDF document text
    • http://bukudix.getenjoyment.net/example_of_problem_statement_in_research.pdfIn PDF document text
    • http://jusapp.club/what_is_skin_so_soft_used_forrolpw.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4452217/normal_5fed8f2ad922d.pdfIn PDF document text
    • http://worldthailand.fun/brother_printer_hl-l2370dw_toner_resetfimgl.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://6b21c484-99f8-4e97-b77a-b77c054bfe5d.filesusr.com/ugd/f139d4_6601edd5f4d34332a0c966208911e10d.pdf?index=trueIn PDF document text
    • http://seroroxunabolu.onlinewebshop.net/cuanto_son_500_gr_de_harina_en_ml.pdfIn PDF document text
    • http://segurixuzek.myartsonline.com/dd_3.5_best_druid_spells.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e279846a-177f-4a20-bd29-bb7a0b62a8d9/44368303886.pdfIn PDF document text
    • https://99470c7d-c692-4648-a7b8-36ea19db2883.filesusr.com/ugd/ab059d_d43b9b1b686342adabc03c1c1d135cf6.pdf?index=trueIn PDF document text
    • https://6b2f37ea-3696-4b87-858b-663c379f6f6f.filesusr.com/ugd/16879a_6c9345934e954a84b49b1d9c755b2e90.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/170b8df5-b100-4a98-89b0-3ece54dc0c6e/96496403579.pdfIn PDF document text
    • http://liraperuwuw.atwebpages.com/39054536523.pdfIn PDF document text
    • http://fadudenomo.onlinewebshop.net/girl_scout_chants_and_cheers.pdfIn PDF document text
    • https://73af689e-4c80-4f62-99d3-7a886641ad81.filesusr.com/ugd/3b5dd9_8920aa6ea11f46ad9b056d1f0287b759.pdf?index=trueIn PDF document text
    • https://50037ee0-0691-4a53-bdc2-b2f8f795cfa6.filesusr.com/ugd/b41a9a_412e202a5fa9468d9a102264170fe796.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/44239dfd-2a5d-404d-85fc-a65a1e5f79b7/how_to_determine_bond_angles_in_chemistry.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0739621e-534d-4057-a50f-43803a8b57b8/85310220870.pdfIn PDF document text
    • https://1138278f-e8d0-45ef-aef3-dbdd7428ac52.filesusr.com/ugd/5be868_07efb77c4e724469a987d825923b7dbd.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/c12383ca-9bf8-4307-a7f1-159f7820756b/nasm_cpt_book_6th_edition.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010ecb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10ECB 5148 bytes
SHA-256: 2d315de0e2f8e75111ba42aa050c209415e65f53b67d129c90eaaf69e685639a
font_01_sfnt_off00012052.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12052 11188 bytes
SHA-256: 91ab34ab2d7f8a0e69ee621e13a37ecd674931c8d9f1c615420b99de30bf101d
font_02_sfnt_off000146c0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x146C0 4324 bytes
SHA-256: a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f