Malicious PDF — malware analysis report

Static analysis result for SHA-256 34007cfca834904f…

MALICIOUS

PDF

50.6 KB Created: 2021-01-26 11:05:16 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-05
MD5: 7cd159e6fad5ce627451154de0efed5c SHA-1: 2284f19e458395e1e329b578d2d9898ba876a12f SHA-256: 34007cfca834904f89876d2aefbb329f1ada073d7c5bb9ef0717ec2fd4ab7097
182 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous embedded links, many pointing to disposable domains and redirectors, indicating a phishing or malware distribution attempt. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' and 'PDF_SEO_DISPOSABLE_LINK_FARM' strongly suggest malicious intent. While no scripts were explicitly extracted, the nature of the links and the ML classification point towards a common PDF-based phishing lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7362

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/aws?utm_term=animal+ippadithan+full+movie+tamil In PDF document text
    • http://pubgucbayim.com/spider_solitaire_app_download5ywnn.pdfIn PDF document text
    • http://sdek-24.cc/samunvc5ve.pdfIn PDF document text
    • https://fobizolavavoka.weebly.com/uploads/1/3/1/4/131406440/87425.pdfIn PDF document text
    • https://waxagenejefud.weebly.com/uploads/1/3/4/7/134712445/tixedilu.pdfIn PDF document text
    • http://zoo-taxi.site/offline_poker_app_applejp45d.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4419851/normal_5fefd8bba669c.pdfIn PDF document text
    • http://tehnotop.site/meaning_of_amaze_in_english_languagewzho2.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4452385/normal_60088e6a58299.pdfIn PDF document text
    • https://junoxavod.weebly.com/uploads/1/3/1/3/131384771/3692743.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368756/normal_600d6f68cf216.pdfIn PDF document text
    • http://cosmicgig.com/anime_sword_clash_sound_effect9n60k.pdfIn PDF document text
    • https://tamilazubi.weebly.com/uploads/1/3/4/6/134604156/lotuku.pdfIn PDF document text
    • https://wezenazuzive.weebly.com/uploads/1/3/4/7/134764498/3584256.pdfIn PDF document text
    • http://zowipazivavi.epizy.com/67773013302.pdfIn PDF document text
    • http://rajemezipuz.rf.gd/mizezadudaf.pdfIn PDF document text
    • http://bezepegu.epizy.com/sobexuvelulanulijok.pdfIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.