Malicious PDF — malware analysis report

Static analysis result for SHA-256 2aae854f4b6104d5…

MALICIOUS

PDF

311.7 KB Created: 2025-07-08 20:08:22 +03:00 Authoring application: 376377000w000k000h000t000m000l000t000o000p000d000f000 0000000.00010002000.0006 (via GPL Ghostscript 9.53.3) First seen: 2026-06-27
MD5: 694ec0297d638e14533461c23fb82734 SHA-1: 6130c1f94494a6e745da0aca1b0b28f57ca316f7 SHA-256: 2aae854f4b6104d574b1866ec94809f484ca72d9773ac8a83e5c4500d3c09545
86 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0254

Heuristics 5

  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vikowujobok.vimemug.com/91245979506958548029235063?fipusulazuzujonovizupututogimekorosobofumijonezebuvenefemereporoletidelun=zaxelegadubobafuperofigijolerigopukevuruvezipesojadutotobalumotovirebakodikesegobexuwodozilawubofosuwixagepofofumizozewigivukiganedajixejusemubebuvuwedaxagapugoboxobimaladolejogonanenamovovepidufirojomer&utm_term=%D1%81+%D0%B4%D0%BD%D0%B5%D0%BC+%D1%80%D0%BE%D0%B6%D0%B4%D0%B5%D0%BD%D0%B8%D1%8F+%D0%B1%D1%80%D0%B0%D1%82&nexukatogalexofaxuvuwuvunegipolebowitejewuvafusebamanagowegizotiwavebegoxabegibito=vipuxaxoxivazudosuvedetopofakuzibetiropizutaxonaxivekapalejurozuxutabidibasugavorumomazufagepopokuwerajulepipirefuwopulu)/Type/Action In PDF document text
    • https://vikowujobok.vimemug.com/91245979506958548029235063?fipusulazuzujonovizupututogimekorosobofumijonezebuvenefemereporoletidelun=zaxelegadubobafuperofigijolerigopukevuruvezipesojadutotobalumotovirebakodikesegobexuwodozilawubofosuwixagepofofumizozewigivukiganedajixejusemubebuvuwedaxagapugoboxobimPDF link annotation
    • https://vikowujobok.vimemug.com/91245979506958548029235063?fipusulazuzujonovizupututogimekorosobofumijonezebuvenefemereporoletidelun=zaxelegadubobafuperofigijolerigopukevuruvezipesojadutotobalumotovirebakodikesegobexuwodozilawubofosuwixagepofofumizozewigivukiganedajixejusemubebuvuwedaxagapugoboxobimaladolejogonanenamovovepidufirojomer&utm_term=%D1%81+%D0%B4%D0%BD%D0%B5%D0%BC+%D1%80%D0%BE%D0%B6%D0%B4%D0%B5%D0%BD%D0%B8%D1%8F+%D0%B1%D1%80%D0%B0%D1%82&nexukatogalexofaxuvuwuvunegipolebowitejewuvafusePDF link annotation
    • https://vikowujobok.vimemug.com/91245979506958548029235063?fipusulazuzujonovizupututogimekorosobofumijonezebuvenefemereporoletidelun=zaxelegadubobafuperofigijolerigopukevuruvezipesojadutotobalumotovirebakodikesegobexuwodozilawubofosuwixagepofofumizozewigivukiganedajixejusemubebuvuwedaxagapugoboxobimaladolejogonanenamovovepidufirojomer&utm_term=%D1%81+%D0%B4%D0%BD%D0%B5%D0%BC+%D1%80%D0%BE%D0%B6%D0%B4%D0%B5%D0%BD%D0%B8%D1%8F+%D0%B1%D1%80%D0%B0%D1%82&nexukatogalexofaxuvuwuvunegipolebowitejewuvafusebamanagowegizotiwavebegoxabegibito=vipuxaxoxivazudosuvedetopofakuzibetiropizutaxonaxivekapalejurozuxutabidibasugavorumomazufagepopokuwerajulepipirefuwopuluIn PDF document text
    • https://uploads-ssl.webflow.com/67546e0e83063c4b66d45703/686be907ba3d6cadb29caad3_52544241136.pdfIn PDF document text
    • https://assets.website-files.com/683f76e67021d29070cf449e/686b17082e07ac036080531a_sazugilekakamuxujukijego.pdfIn PDF document text
    • https://uploads-ssl.webflow.com/6868d80122421bae13ba2930/686c0fc6bbca5dba01282c86_gukiwevazudalixineziw.pdfIn PDF document text
    • https://uploads-ssl.webflow.com/6723c41fd35aeb42a861b547/686b30e789728677f9a957f1_34622347337.pdfIn PDF document text
    • https://assets.website-files.com/685a6d270a52fd48720f2aad/686b12d3063c62feb2c947a9_vitivibiteja.pdfIn PDF document text
    • https://assets.website-files.com/68660311cd97f6a945e8216c/686b1eef3bbbd0e02cb71c6c_jevukelerew.pdfIn PDF document text
    • https://cdn.prod.website-files.com/681b3f9e7c9a7ea54f80f174/686b509c2a2195cc01b1ab9c_bekililegesupoju.pdfIn PDF document text
    • https://assets.website-files.com/67544ca6f504517d45e0a590/686ba9b9055df95b768f4e66_feramomasameza.pdfIn PDF document text
    • https://cdn.prod.website-files.com/686523770ac3d36657776e2e/686b2d88b2915c76d205aadf_38633456123.pdfIn PDF document text
    • https://cdn.prod.website-files.com/67237685db9ab8dce0e69e6b/686aeda9b668ce59a9cc94d5_93750696724.pdfIn PDF document text
    • https://cdn.prod.website-files.com/685a835e02472e1e4ea17b57/686bfcbd196db295aecbfdf7_witupuwubixadewapewasoje.pdfIn PDF document text
    • https://uploads-ssl.webflow.com/685b0a4be18cb450e7d82658/686bed237339dde8934dab44_57055642546.pdfIn PDF document text
    • https://cdn.prod.website-files.com/681bbe2655ae3288e8bef6e9/686b44157f5de3065203fd0d_88151824762.pdfIn PDF document text
    • https://assets-global.website-files.com/6753a61b63e3f12bc04bd1b0/686c0339e98b1367887e22a0_nitojavedosusewuzat.pdfIn PDF document text
    • https://cdn.prod.website-files.com/680483617b5199127fcc0eb9/686bf25f91dd121f8840146d_putezulati.pdfIn PDF document text
    • https://assets-global.website-files.com/68039988ccc4c67a9c7333e0/686b50f57111cae298506d9c_77536005935.pdfIn PDF document text
    • https://cdn.prod.website-files.com/68063fca6785f7ad4ac6f3c0/686bd8da347a16d56745d557_vixuxex.pdfIn PDF document text
    • https://uploads-ssl.webflow.com/67546e0e83063c4b66d45703/686be907ba3d6cadb29caad3_52544241136.pdf)/Type/ActionIn PDF document text
    • https://assets.website-files.com/683f76e67021d29070cf449e/686b17082e07ac036080531a_sazugilekakamuxujukijego.pdf)/Type/ActionIn PDF document text
    • https://uploads-ssl.webflow.com/6868d80122421bae13ba2930/686c0fc6bbca5dba01282c86_gukiwevazudalixineziw.pdf)/Type/ActionIn PDF document text
    • https://uploads-ssl.webflow.com/6723c41fd35aeb42a861b547/686b30e789728677f9a957f1_34622347337.pdf)/Type/ActionIn PDF document text
    • https://assets.website-files.com/685a6d270a52fd48720f2aad/686b12d3063c62feb2c947a9_vitivibiteja.pdf)/Type/ActionIn PDF document text
    • https://assets.website-files.com/68660311cd97f6a945e8216c/686b1eef3bbbd0e02cb71c6c_jevukelerew.pdf)/Type/ActionIn PDF document text
    • https://cdn.prod.website-files.com/681b3f9e7c9a7ea54f80f174/686b509c2a2195cc01b1ab9c_bekililegesupoju.pdf)/Type/ActionIn PDF document text
    • https://assets.website-files.com/67544ca6f504517d45e0a590/686ba9b9055df95b768f4e66_feramomasameza.pdf)/Type/ActionIn PDF document text
    • https://cdn.prod.website-files.com/686523770ac3d36657776e2e/686b2d88b2915c76d205aadf_38633456123.pdf)/Type/ActionIn PDF document text
    • https://cdn.prod.website-files.com/67237685db9ab8dce0e69e6b/686aeda9b668ce59a9cc94d5_93750696724.pdf)/Type/ActionIn PDF document text
    • https://cdn.prod.website-files.com/685a835e02472e1e4ea17b57/686bfcbd196db295aecbfdf7_witupuwubixadewapewasoje.pdf)/Type/ActionIn PDF document text
    • https://uploads-ssl.webflow.com/685b0a4be18cb450e7d82658/686bed237339dde8934dab44_57055642546.pdf)/Type/ActionIn PDF document text
    • https://cdn.prod.website-files.com/681bbe2655ae3288e8bef6e9/686b44157f5de3065203fd0d_88151824762.pdf)/Type/ActionIn PDF document text
    • https://assets-global.website-files.com/6753a61b63e3f12bc04bd1b0/686c0339e98b1367887e22a0_nitojavedosusewuzat.pdf)/Type/ActionIn PDF document text
    • https://cdn.prod.website-files.com/680483617b5199127fcc0eb9/686bf25f91dd121f8840146d_putezulati.pdf)/Type/ActionIn PDF document text
    • https://assets-global.website-files.com/68039988ccc4c67a9c7333e0/686b50f57111cae298506d9c_77536005935.pdf)/Type/ActionIn PDF document text
    • https://cdn.prod.website-files.com/68063fca6785f7ad4ac6f3c0/686bd8da347a16d56745d557_vixuxex.pdf)/Type/ActionIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/iX/1.0/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0004b2d9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4B2D9 8516 bytes
SHA-256: c7a6aa2b16ccb4b6837bca4e68cf7f3dbb3fce121088a8fdbd089f24769ecf99

Open this report in the interactive analyzer, or submit your own file for analysis.