Malicious PDF — malware analysis report

Static analysis result for SHA-256 19177aa6a2fb2ab1…

MALICIOUS

PDF

123.5 KB Created: 2022-06-22 03:00:41 +02:00 Authoring application: zakmark (via PDF Master 1.0.1) First seen: 2026-06-22
MD5: 70a6b0711f81ac2146c0fa88a1f1ca9b SHA-1: 6fab067cdb701ff4ffb8626259b9d6beb0e28e76 SHA-256: 19177aa6a2fb2ab1a19034af47cf48db09fd443ed6fe660ce67a9f55ed4a9f7a
102 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0014

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • PDF link farm advertises cracked/pirated software medium PDF_CRACKED_SOFTWARE_LURE
    PDF contains many clickable links whose targets use cracked-software, keygen, serial-key, or warez vocabulary. These are SEO-spam lure documents that rank for software-piracy searches and route users to fake 'crack' download pages distributing potentially-unwanted programs, adware, or droppers. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://evacdir.com/downslides/graecian.U2Vydi11IEZ0cCBTZXJ2ZXIgNi40LjAuNSBDb3Jwb3JhdGUgRWRpdGlvbgU2V?serms=/ZG93bmxvYWR8YVE1Tkd0MVozeDhNVFkxTlRnME1qazRNWHg4TWpVNU1IeDhLRTBwSUZkdmNtUndjbVZ6Y3lCYldFMU1VbEJESUZZeUlGQkVSbDA&provencal=ethnographic PDF link annotation
    • http://www.cromwellct.com/sites/g/files/vyhlif2976/f/uploads/20160930142853642.pdfIn PDF document text
    • https://xtc-hair.com/refined-elliott-trader-1-13-2-cracked-link/In PDF document text
    • http://dottoriitaliani.it/ultime-notizie/senza-categoria/the-ultimate-guide-to-table-skirting-homestead-ie/In PDF document text
    • https://nlegal.org/wp-content/uploads/2022/06/AFK_aimbot_ready_to_download_ready_to_use_legit_cs.pdfIn PDF document text
    • https://www.north-reading.k12.ma.us/sites/g/files/vyhlif1001/f/uploads/sc_2021-22_final_goals.pdfIn PDF document text
    • http://www.barberlife.com/upload/files/2022/06/717bPDTPiVMcLp2CSRqM_22_07137efcf65b2d4e41570d4b1b50a6f5_file.pdfIn PDF document text
    • https://thebrothers.cl/cary-50-winuv-software-full-download/In PDF document text
    • http://jaxskateclub.org/2022/06/22/mini-windows-xp-_hot_-download-iso/In PDF document text
    • https://xn--80aagyardii6h.xn--p1ai/amibcp-v4-53-11/In PDF document text
    • https://jomshopi.com/wp-content/uploads/2022/06/PATCHED_Ashisoft_Duplicate_Photos_Finder_1451Multilingual_Me.pdfIn PDF document text
    • http://www.camptalk.org/wp-content/uploads/2022/06/arturia_brass_2_keygen_torrent.pdfIn PDF document text
    • https://www.hotels-valdys.fr/wp-content/uploads/2022/06/raemar.pdfIn PDF document text
    • https://www.bergercare.de/uploads/_bergercare/2022/06/ansesato.pdfIn PDF document text
    • http://practicea.com/?p=14182In PDF document text
    • https://ethandesu.com/warppls-on-twitter/In PDF document text
    • https://domainbirthday.com/vengaboys-the-party-album-free-music-streaming/In PDF document text
    • https://brutalrecords.com/coming-soon/In PDF document text
    • https://bodhibliss.org/npr-fresh-air/In PDF document text
    • https://negociosinmobiliariosdemexico.com/wp-content/uploads/2022/06/waggwyl.pdfIn PDF document text
    • https://educationnews.co.ke/advert/reiboot-pro-7-3-2-1-crack-full-registration-code-latest-patched/In PDF document text
    • http://www.barberlife.com/upload/files/2022/06/717bPDTPiVMcLp2CSRqM_22_07137efcf65b2d4e41570d4b1b50a6f5_fileIn PDF document text
    • http://www.tcpdf.orgIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://www.aiim.org/pdfa/ns/extension/In PDF document text
    • http://www.aiim.org/pdfa/ns/schema#In PDF document text
    • http://www.aiim.org/pdfa/ns/property#In PDF document text
    • http://www.aiim.org/pdfa/ns/id/In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00001a73.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1A73 120140 bytes
SHA-256: a217f12862e0ff75203bdd4136ca0d68471050be46bb09aed5306898926ffdd4

Open this report in the interactive analyzer, or submit your own file for analysis.