Malicious PDF — malware analysis report

Static analysis result for SHA-256 19de2b00608a0977…

MALICIOUS

PDF

83.5 KB Created: 2021-01-13 01:40:56 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-05
MD5: 9604246aa1c7488917efe2870b5f4927 SHA-1: f0500bd27c8aa60048242ec5a62853405528acd5 SHA-256: 19de2b00608a0977171db677eae8f3c413594df00a7d3a1b8a74bf47c76f9468
186 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was identified as malicious by ClamAV and an ML classifier, exhibiting characteristics of a link farm. It contains numerous external links, many pointing to disposable hosting services, suggesting an attempt to distribute further malicious content or phish users. The document body, though heavily obfuscated, contains metadata related to 'wkhtmltopdf' and a date, but no clear textual lure was extracted.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafftec.ru/aws?utm_term=eclipsing+binary+simulator+answers PDF link annotation
    • https://cdn.sqhk.co/kifavubivelo/icoidie/dosewe.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4462992/normal_5fb29d5c9a370.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4446649/normal_5fc5513b6d978.pdfIn PDF document text
    • https://tukuboxux.weebly.com/uploads/1/3/4/5/134510407/zojivekexupupu.pdfIn PDF document text
    • https://vilukenuxe.weebly.com/uploads/1/3/2/8/132814007/denezenekug-ludafire-rofiza-dumamepav.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4473056/normal_5fc180e57f54b.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4403541/normal_5fe02ddedb8ed.pdfIn PDF document text
    • https://jifosibupegexuv.weebly.com/uploads/1/3/4/6/134692258/2868534.pdfIn PDF document text
    • https://cdn.sqhk.co/puvegipuros/fhdphdY/84247573031.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4376875/normal_5f8d41f719d60.pdfIn PDF document text
    • https://berajuvexoru.weebly.com/uploads/1/3/1/8/131860787/7911747.pdfIn PDF document text
    • https://lugemubijovige.weebly.com/uploads/1/3/4/8/134879604/6413965.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4379046/normal_5f9564ae7c8ac.pdfIn PDF document text
    • https://dusomekekonipa.weebly.com/uploads/1/3/4/5/134580960/4eb662e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4490377/normal_5fb8d396b7956.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e5ff.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE5FF 5428 bytes
SHA-256: 1f44ae80b6c16d1f909529065547e1a75a288a6e8c272af0dc29cb5ca2a5497b
font_01_sfnt_off0000f86c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF86C 10640 bytes
SHA-256: 1453bf950d74c74feb89f3a666c69eeff9a8ac6d54e1cf468b05a9dac062ba05
font_02_sfnt_off00011ce5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11CE5 16248 bytes
SHA-256: b80d098170376c84cb198fb93be88f4cd0b9b55acadd9daad5e215c44ee14fe9
font_03_sfnt_off0001322b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1322B 4324 bytes
SHA-256: 1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361

Open this report in the interactive analyzer, or submit your own file for analysis.