Malicious PDF — malware analysis report

Static analysis result for SHA-256 33f3698bdbf6d25a…

MALICIOUS

PDF

49.6 KB Created: 2021-01-05 04:23:30 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-05
MD5: 9ff80e084ba579872e8cd687db909eec SHA-1: 779ee0df1fa7f62194e290b9901598a3801acf04 SHA-256: 33f3698bdbf6d25a3c30556137b62f8c81feb18f81ea3ced0d44f6971c621260
192 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous embedded links, many of which point to redirectors and SEO link farms, indicating a phishing or malware distribution attempt. The document body, though heavily obfuscated, contains references to 'wkhtmltopdf' and 'coloring sheets', suggesting a lure. The presence of multiple PDF links and a critical heuristic firing for malicious redirector links strongly supports this attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7532

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/aws?utm_term=kawaii+unicorn+coloring+sheets In PDF document text
    • https://tinutenuku.weebly.com/uploads/1/3/4/6/134664278/8d4e12eede4.pdfIn PDF document text
    • https://fozijiruzixusap.weebly.com/uploads/1/3/4/3/134317533/jubezexugugapab.pdfIn PDF document text
    • https://bivapere.weebly.com/uploads/1/3/4/6/134689139/887160.pdfIn PDF document text
    • https://cdn.sqhk.co/zetikitor/Yqhadko/56575104878.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e6272274-24a5-48e1-a3f9-679a11f9cea7/zukuwujigisuletebolupan.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c9f89d04-588b-42f7-ad69-ee763cabca0a/types_of_education_seminars.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ca0c67d2-8295-4958-a902-43418874a43f/44754611753.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d5b6239e-8af8-4480-96f9-fabae3468054/guide_for_stumble_guys_multiplayer_royale_apkpure.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/12d04cf3-95ad-486d-89c4-b47fded91d94/kavigugatenobugipuxudu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6459f650-f498-446a-962e-b0e742eafdd2/62089076964.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/12b36dfd-35ca-48bd-bd2b-5ce68fffb803/fuminosopulopiwikagob.pdfIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.