Malicious PDF — malware analysis report

Static analysis result for SHA-256 44502b5b7a958652…

MALICIOUS

PDF

124.1 KB Created: 2022-06-12 09:36:38 +02:00 Authoring application: caithom (via PDF Master 1.0.1) First seen: 2026-06-12
MD5: bc27ab513d4b2027d568c56f4a83721f SHA-1: 020a9878da5626e15c638fb9b748bffbfc2e9d47 SHA-256: 44502b5b7a958652a2c9338ebc9db12e6316e2a0d8567d6f093ce6d44733a147
72 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of external links, many of which point to other PDF files, suggesting a link farm designed to distribute malicious content. One critical heuristic identified a mass external PDF link farm, with the first URL being https://salty-chamber-89334.herokuapp.com/leswell.pdf. The presence of a 'download' button lure further supports the malicious intent of directing users to external resources. No scripts were extracted, but the overall structure indicates a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier clean score 0.0015

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://evacdir.com/ZG93bmxvYWR8Yzg3Wm1Nd2NueDhNVFkxTkRrNE9URTJNbng4TWpVNU1IeDhLRTBwSUZkdmNtUndjbVZ6Y3lCYldFMU1VbEJESUZZeUlGQkVSbDA.cohesiveness/SGV5eSBCYWJ5eSAyMDE1IEhpbmRpIDcyMHAgVG9ycmVudASGV/cupseal/distresses/bestbuy/onionskin/incurability.rocking PDF link annotation
    • https://salty-chamber-89334.herokuapp.com/leswell.pdfIn PDF document text
    • https://vineyardartisans.com/artisan-pages/?p=13766In PDF document text
    • https://whatchats.com/upload/files/2022/06/8HBWnT6qVGZ4rPfdpS6Y_12_7f3696ef2d035c13d04045614da37d83_file.pdfIn PDF document text
    • https://urbanjungle1984.com/wp-content/uploads/2022/06/vyvcai.pdfIn PDF document text
    • https://gaming-walker.com/upload/files/2022/06/ko4WlgbQNR3FxMIsGjJj_12_778a4f3757e583420d41d66be2509d31_file.pdfIn PDF document text
    • http://yogaapaia.it/archives/12899In PDF document text
    • https://sarfatit.com/wp-content/uploads/2022/06/HD_Online_Player_gift_from_above_2003_download_movie_.pdfIn PDF document text
    • https://leeventi-teleprompter.com/wp-content/uploads/2022/06/pyaar_ka_punchnama_2_full_movie_download_720p.pdfIn PDF document text
    • https://www.locatii.md/wp-content/uploads/2022/06/Lennar_Digital_Sylenth_221_WINx86x64_full_version.pdfIn PDF document text
    • http://estatesdevelopers.com/wp-content/uploads/2022/06/Toontrack_24_Midi_Packs_Collection_MIDI.pdfIn PDF document text
    • http://sourceofhealth.net/2022/06/12/active-boot-disk-keygen-generator/In PDF document text
    • https://festivaldelamor.org/download-kodi-16-1-windows-7-better/In PDF document text
    • https://www.couponsnip.in/wp-content/uploads/2022/06/CRACK_IDevice_Manager_Pro_Edition_8000_Fix_LatestArmaanPC.pdfIn PDF document text
    • https://www.ocacp.com/wp-content/uploads/2022/06/coraamau.pdfIn PDF document text
    • https://fast-lake-65521.herokuapp.com/alphval.pdfIn PDF document text
    • https://romanibook.com/upload/files/2022/06/jIfO8LROp4qipcZHgsxY_12_7f3696ef2d035c13d04045614da37d83_file.pdfIn PDF document text
    • http://www.nextjowl.com/upload/files/2022/06/lCVbJfdsrIQIedkarK9h_12_bf51805bc5b8231560d7ab9c3163715f_file.pdfIn PDF document text
    • https://ascenso.co/ciudadela/kamen-rider-decade-game-pc-link-download/In PDF document text
    • https://social.urgclub.com/upload/files/2022/06/zgLI9YdfDKq7WM9hW32Q_12_7f3696ef2d035c13d04045614da37d83_file.pdfIn PDF document text
    • https://attitude.ferttil.com/upload/files/2022/06/odBaixJypzbO6RNb9jLW_12_7f3696ef2d035c13d04045614da37d83_file.pdfIn PDF document text
    • http://www.tcpdf.orgIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://www.aiim.org/pdfa/ns/extension/In PDF document text
    • http://www.aiim.org/pdfa/ns/schema#In PDF document text
    • http://www.aiim.org/pdfa/ns/property#In PDF document text
    • http://www.aiim.org/pdfa/ns/id/In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00000e47.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xE47 120140 bytes
SHA-256: a217f12862e0ff75203bdd4136ca0d68471050be46bb09aed5306898926ffdd4

Open this report in the interactive analyzer, or submit your own file for analysis.