Malicious PDF — malware analysis report

Static analysis result for SHA-256 1dcc28d9b5182b94…

MALICIOUS

PDF

238.1 KB Created: 2020-11-26 18:29:40 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-05-30
MD5: 190dbf4935feca86368a5b071111867c SHA-1: b08e23cfdcc7e11a7f45ec1adf2d45b8d14f8e86 SHA-256: 1dcc28d9b5182b94bc8db820e5829c10597ec96f606f9c14b5382db1abd1654e
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9979

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/wb?keyword=a4%20envelope%20template%20illustrator In PDF document text
    • https://cdn-cms.f-static.net/uploads/4369776/normal_5f8a6cf767c48.pdfIn PDF document text
    • https://tusezewepoxir.weebly.com/uploads/1/3/4/3/134339989/88d0d8.pdfIn PDF document text
    • https://gimexewevojux.weebly.com/uploads/1/3/4/5/134523505/borizimix-zezawoti-gisor.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4416128/normal_5f96803a7a4a5.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4388627/normal_5f99691e1e94e.pdfIn PDF document text
    • https://jalewigevat.weebly.com/uploads/1/3/2/6/132681207/jinezoresijure.pdfIn PDF document text
    • https://zixobidepupakog.weebly.com/uploads/1/3/4/5/134503699/1675157801.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4416669/normal_5f9ae35ad947b.pdfIn PDF document text
    • https://lixaworone.weebly.com/uploads/1/3/1/8/131871871/sisudivovota.pdfIn PDF document text
    • https://jiketajaw.weebly.com/uploads/1/3/4/4/134464131/239ccaf8b8b8.pdfIn PDF document text
    • https:///\/as2.ftcdn.net\/jpg\/02\/56\/52\/52\/02In PDF document text
    • https:///\/as2.ftcdn.net\/jpg\/02\/56\/52\/29\/500_F_256522964_xXCkMncKtSuuQGcR5MDSbmEOVK6PDLE1.jpg,content_height:348,content_width:500,content_original_height:5726,content_original_width:2048,format:psdIn PDF document text
    • https:///\/stock.adobe.com\/ee\/Download\/Watermarked\/256522964,author:CustomIn PDF document text
    • https://\/\/stock.adobe.com\/ee\/templates\/aIn PDF document text
    • https:///\/as2.ftcdn.net\/jpg\/02\/56\/52\/29\/1024W_F_256522964_xXCkMncKtSuuQGcR5MDSbmEOVK6PDLE1_NW1.jpg,nullIn PDF document text
    • https://\/\/t3.ftcdn.net\/jpg\/03\/92\/09\/00\/360_F_392090055_JcTTmVFky1q3m3tsJSqGY9Vf5BmTMa5W.jpg,thumbnail_widthIn PDF document text
    • https://\/\/as2.ftcdn.net\/jpg\/01\/94\/24\/47\/160_F_194244702_PknucUQpJPyCarZX1xaLmYZMVCd0eynt.jpgIn PDF document text
    • https:///\/as2.ftcdn.net\/jpg\/03\/88\/58\/69\/160_F_388586931_aLGihylmRbrjnnhzra6Gt0dwcMpoS9nt.jpg,content_thumb_large_url:https:\/\/as2.ftcdn.netIn PDF document text
    • https:///\/stock.adobe.com\/ee\/templates\/corporate-branding-identity-mockup-with-soft-gray-background\/388586931,content_pathIn PDF document text
    • https://\/\/as1.ftcdn.net\/jpg\/03\/89\/73\/10\/160_F_389731024_PXz2sfQyoXygAZpSAG9CftjcGQkHO5ld.jpg,content_thumb_large_url:https:///\/as1.ftcdn.net\/jpg\/03\/89\/73\/10\/500_F_389731024_PXz2sfQyoXygAZpSAG9CftjcGQkHO5ld.jpg,content_height:348,content_width:500,content_original_height:4429,content_original_width:2048,format:indt,comp_file_path:https:\/\/\/stock:https:\/\/adobeIn PDF document text
    • https://\/\/stock.adobe.com\/ee\/templates\/identity-logo-poster\/389731024In PDF document text
    • https:///\/as1.ftcdn.net\/jpg\/03\/86\/96\/28\/160_F_386962833_9A2Id0dFVRr5RazRiz1gSnLchdEJjtzi.jpg,content_thumb_large_url:https:\/\/as1.ftcdn.net\/jpg\/03\/86\/96\/28\/500_F_386962833_9A2Id0dFVRr5RazRiz1gSnLchdEJjtzi.jpg,content_height:348,content_width:500,content_original_height:4188,content_original_width:2048,format:ait,comp_file_path:https:\/\/stock.adobe.com\/ee\/Download\/Watermarked\/386962833,author:Medialoot,author_url:\/ee\/searchIn PDF document text
    • https:///\/stock.adobe.com\/ee\/templates\/hotel-door-hanger-layouts\/386962833,content_path:\/eeIn PDF document text
    • https://\/\/t3.ftcdn.net\/jpg\/03\/86\/96\/28\/360_F_386962833_9A2Id0dFVRr5RazRiz1gSnLchdEJjtzi.jpg,thumbnail_width:518,thumbnail_height:360,is_lazy_loaded,can_license_with_cct_pro:really,file_extension:ait,getSubtypeLabel:Illustrator,is_licensed:fake,media_type_label:Template,video_small_preview_url:cancel,order_key:8,category_hierarchyIn PDF document text
    • https:///\/as1.ftcdn.net\/jpg\/03\/86\/86\/28\/1024W_F_386962833_9A2Id0dFVRr5RazRiz1gSnLchdEJjtzi_NW1.jpg,period:cancel,use_with:Illustration,compatibility_version:denote,lighting:########In PDF document text
    • https:///\/stock.adobe.com\/ee\/Download/Watermarked\/373743257,authorIn PDF document text
    • https:///\/t3.ftcdn.net\/jpg\/03\/73\/74\/32\/360_F_373743257_hojZblYTnTNzrh15jw47DMWOxGXqP1Hw.jpg,thumbnail_width:518,thumbnail_height:360,is_lazy_loaded:fake,can_license_with_cct_pro:really,file_extension:ait,getSubtypeLabel:Illustrator,is_licensed:fake,media_type_label:Template,video_small_preview_url:batal,order_key:11,category_hierarchy:,is_free:avatar:video_small_preview_urlnull,order_key:11,category_hierarchy:,is_freeIn PDF document text
    • https:///\/as2.ftcdn.net\/jpg\/02\/42\/88\/41\/160_F_242884111_RACZ85TLR69Ym2O05Z9NQNKmIpmL8mYQ.jpg,content_thumb_large_url:https:\/\/as2.ftcdn.net\/jpg\\/0In PDF document text
    • https:///\/stock.adobe.com\/ee\/Download\/Watermarked\/242884111,author:CristalpDesign,author_url:\/ee\/searchIn PDF document text
    • https:///\/stock.adobe.com\/ee\/templates\/stationery-set-with-red-accents\/242884111,content_path:\\eeIn PDF document text
    • https://\/\/t4.ftcdn.net\/jpg\/01\/20\/19\/35\/360_F_120193531_s6ErGLxD02i4wWX1CYibvB1wW2QO0nFi.jpg,thumbnail_width:518,thumbnail_height:360,is_lazy_loadedIn PDF document text
    • https:///\/as2.ftcdn.net\/jpg\/03\/65\/27\/31\/160_F_365273177_WTxmhbHv06gzKmnrCzsQ1iTmch0bG9Md.jpgcontent_thumb_large_urlIn PDF document text
    • https:///\/stock.adobe.com\/ee\/Download\/Watermarked\/365273In PDF document text
    • https:///\/as2.ftcdn.net\/jpg\/03\/93\/16\/09\/500_F_393160924_Cpg8hMwF7vrIixI2BzQuwHKHnsDMYnfb.jpg,content_height:348,content_width:500,content_original_height:4292,content_original_width:2048,format:psdt,comp_file_path:https:https:https:\/\/stock.adobe.com\/ee\/Download\/Watermarked\/393160924,author:CustomIn PDF document text
    • https://\/\/stock.adobe.com\/ee\/templates\/mockup-ofIn PDF document text
    • https:///\/as1.ftcdn.net\/jpg\/02\/41\/59\/12\/500_F_241591249_Maxi2psyIXsdVd6XrHr7iwhprmEzJ6EV.jpg,content_height:348,content_width:500In PDF document text
    • https://\/\/stock.adobe.com\/ee\/Download\/Watermarked\/241591249,author:AvelinaIn PDF document text
    • https://\/\/stock.adobe.com\/ee\/templates\/3-c4-envelopes-mockup\/241591249,content_pathIn PDF document text
    • https://\/\/t3.ftcdn.net\/jpg\/02\/41\/59\/12\/360_F_241591249_Maxi2psyIXsdVd6XrHr7iwhprmEzJ6EV.jpg,thumbnail_width:518,thumbnail_height:360,is_lazy_loaded:fake,can_license_with_cct_pro:really,file_extension:psdt,getSubtypeLabel:Photoshop,is_licensed:fake,media_type_label:Template,video_small_preview_url:batll,order_key:21,category_hierarchyIn PDF document text
    • https:///\/as1.ftcdn.net\/jpg\/03\/88\/78\/44\/160_F_388784456_i0MBkl4W9hdGUlRpSKnKTQAVZ1Yym4pL.jpg,content_thumb_large_url:https:\/\/as1.ftcdn.net\/jpg\/jpg\/03\/88\/78\/44\/500_F_388784456_i0MBkl4W9hdGUlRpSKnKTQAVZ1Yym4pL.jpg,content_height:348,content_width:500,content_original_height:6100,content_original_width:2048,format:indt,comp_file_path:https:\/\/stock.adobe.com\/ee\/Download\/Watermarked\//388784456,author:McLittleIn PDF document text
    • https:///\/stock.adobe.com\/ee\/templates\/2021-retro-reusable-calendars-layout\/388784456,content_path:\/ee\/templates\/2021-retro-reusable-calendars-layout\/388784456,is_purchasable:true,is_template:true,is_chin_below:true,is_video:false,is_3D:false,is_image:false,is_vector:false,is_audio:false,is_illustrative:false,is_similar_idIn PDF document text
    • https:///\/t3.ftcdn.net\/jpg\/03\/88\/78\/44\/360_F_388784456_i0MBkl4W9hdGUlRpSKnKTQAVZ1Yym4pL.jpg,thumbnail_width:518,thumbnail_height:360,can_license_with_cct_proIn PDF document text
    • https:///\/as1.ftcdn.net\/jpg\/03\/88\/78\/44\/1024W_F_388784456_i0MBkl4W9hdGUlRpSKnKTQAVZ1Yym4pL_NW1.jpg,tempohuse_with:InDesign,compatibility_version:cancelIn PDF document text
    • https://\/\/t3.ftcdn.net\/jpg\/02\/22\/85\/76\/360_F_222857647_ezOY4UyOBrLLUbESaVpuekg10Hfa77Nb.jpg,thumbnail_width:600,thumbnail_height:360,is_lazy_loaded:really,can_license_with_cct_pro:really,file_extension:ai,getSubtypeLabel:cancel,is_licensed:fake,media_type_labelVektorIn PDF document text
    • https://\/\/as1.ftcdn.net\/jpg\/03\/89\/73\/46\/160_F_389734672_gy5hSTNq8CHuOk0IAuqCYYQQgyAL99Cf.jpg,content_thumb_large_url:https:\/\/as1.ftcdn.net\/jpg\/0In PDF document text
    • https://\/\/t3.ftcdn.net\/jpg\/03\/89\/73\/46\/360_F_389734672_gy5hSTNq8CHuOk0IAuqCYYQQgyAL99Cf.jpg,thumbnail_width:518,thumbnail_height:360,is_lazy_loaded:is_lazy_loadedIn PDF document text
    • https:///\/t3.ftcdn.net\/jpg\/03\/73\/89\/02\/360_F_373890228_GJQvntKQ4eoAEGVdVGllTGbmhw10UBpa.jpgIn PDF document text
    • https:///\/as2.ftcdn.net\/jpg\/03\/73\/53\/39\/500_F_373533982_rDZgKplDJl67pfivyzRDviIVCM68xXKf.jpg,content_height:348,content_width:500,content_original_height:2In PDF document text
    • https://\/\/stock.adobe.com\/ee\/templates\/floral-stationery-business-layout-collection\/373533982,content_path:\/ee\/templates\/floral-stationery-business-layout-collection\/373533982,is_purchasable:true,is_template:trueIn PDF document text
    +56 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000372f9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x372F9 5104 bytes
SHA-256: 8767ccd94fb102e305c9d21f04e2096e6aedbd3da0fb151bb046481f9fba7875
font_01_sfnt_off00038448.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x38448 11428 bytes
SHA-256: 99eab9051219ef2965d40e34e0f4d50a86e6b3ea595abe225b83a0a1cfe36750