Malicious PDF — malware analysis report

Static analysis result for SHA-256 3078d9119fde54d5…

MALICIOUS

PDF

52.6 KB Created: 2020-11-14 00:06:03 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-05
MD5: 550af6566a24aff7a856d7468dffb51b SHA-1: cb80becddc0009847b18b4b20055833a6f23d9dc SHA-256: 3078d9119fde54d59dcb47da25d7d59f78e7de6d98e81df3ad2e1dc1f8da7d93
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a link disguised as educational material ('rotational symmetry worksheets grade 4') which redirects to known malicious infrastructure. This indicates a phishing attempt, likely to deliver a malicious payload or lead the user to a credential harvesting page. The ClamAV detection further supports its malicious nature.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.2749

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/aws?utm_term=rotational+symmetry+worksheets+grade+4 In PDF document text
    • https://cdn-cms.f-static.net/uploads/4366654/normal_5f875a50b8ff4.pdfIn PDF document text
    • https://jatasurow.weebly.com/uploads/1/3/4/3/134358583/kazugosisabeg.pdfIn PDF document text
    • https://lonerunit.weebly.com/uploads/1/3/4/0/134017922/17a34bc078759.pdfIn PDF document text
    • https://wubugivaruj.weebly.com/uploads/1/3/4/6/134669137/5382341.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4474727/normal_5fa6dde08a9fc.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/d04c495f-c20e-498e-a212-27a0a5df3e5e/wudisa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cd4d9095-a1b1-4151-858b-24fa77f7b619/74545596942.pdfIn PDF document text
    • https://s3.amazonaws.com/pomaxa/minecraft_shaders_pack_1.8.9_that_boost_fps.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c33f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC33F 5592 bytes
SHA-256: fde954ef06ca96a78553fb57b9d9b03e351e326362e1973f4bfcd286ccfaa5e1