Malicious PDF — malware analysis report

Static analysis result for SHA-256 1336098cf176e40d…

MALICIOUS

PDF

15.6 KB Created: 2020-10-29 07:14:37 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-05
MD5: 160273e1b0189313d56c745b9c26b0c2 SHA-1: 65412d92631f8f269e1d98b18f3cd3c26a622c22 SHA-256: 1336098cf176e40db10a336b9df10561d6879f18d8a5cf9cfae876084063e0f6
202 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document is designed as a lure, utilizing an image-only presentation to hide clickable links. It contains a critical malicious redirector link to 'https://ggtraff.ru/aws?keyword=naan+sigappu+manithan', which is likely used to direct users to a phishing or malware distribution site. The document also hosts a large number of external PDF links, many on disposable hosting, further indicating a link farm or SEO poisoning tactic to distribute malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9973

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 15 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/aws?keyword=naan+sigappu+manithan In PDF document text
    • https://cdn-cms.f-static.net/uploads/4369343/normal_5f89b6604fb08.pdfIn PDF document text
    • https://pewoxunoxosizix.weebly.com/uploads/1/3/4/3/134318290/226c3dae.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4417023/normal_5f95c05b26a77.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4388406/normal_5f94ad270d9e7.pdfIn PDF document text
    • https://fexejolimoti.weebly.com/uploads/1/3/4/1/134131812/sugosinu-mibubevo-fetatexawaf.pdfIn PDF document text
    • https://kokexofagisukop.weebly.com/uploads/1/3/2/7/132710589/xopilewag-gijil-vopufedis-davuwejujiner.pdfIn PDF document text
    • https://bilewazivabo.weebly.com/uploads/1/3/2/8/132816117/duxilesetofeg_moseziwikanusu_mokiporakob.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369773/normal_5f8a000c022ea.pdfIn PDF document text
    • https://tenabawik.weebly.com/uploads/1/3/2/7/132710661/d1c80.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4401515/normal_5f978896de668.pdfIn PDF document text
    • https://sugabora.weebly.com/uploads/1/3/4/3/134369176/vutirikowag_demudixulipalo_wawija.pdfIn PDF document text
    • https://zewogamiwivu.weebly.com/uploads/1/3/4/3/134313422/97c114db37991.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0439/0515/5227/files/woladuwasedowolawapuku.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0496/0921/2068/files/rdaction_administrative_cours.pdfIn PDF document text
    • https://s3.amazonaws.com/felasorarabipis/76282205044.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0268/9010/9097/files/compressed_to_jpg.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/19c11bea-6619-45f2-9292-fcbc9644c85c/78868220646.pdfIn PDF document text
    • https://s3.amazonaws.com/sugaguxagu/math_focus_grade_7_textbook.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0491/9135/4534/files/spanish_learning_books_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/56181147-2dbd-41f2-a1a8-525c7bc21d10/what_is_jacksepticeyes_number.pdfIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.