Malicious PDF — malware analysis report

Static analysis result for SHA-256 4be56e9a72083e6e…

MALICIOUS

PDF

44.9 KB Created: 2021-03-04 20:59:48 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-05
MD5: ce5ce622c50e1f4cba65478aefba7a89 SHA-1: 0d0843d95101328849c492fd91f24ec78d306d6f SHA-256: 4be56e9a72083e6e7b1c8e5e737ff4fd09c531c61f8d4db982186eef1b49d3aa
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of external links, many of which point to SEO-optimized PDF documents hosted on suspicious domains. This behavior is indicative of a link farm used to distribute malicious content or conduct phishing attacks. The ClamAV detection and ML classifier further support the malicious nature of the file.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8552

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gimoguvi.ru/award?keyword=homelite+super+xl+automatic+oiler PDF link annotation
    • http://titoto.xyz/what_exercises_improve_strengthysc1j.pdfIn PDF document text
    • http://domastmsk.space/how_to_install_netgear_wireless_usb_adapter_wg111v2_without_cdpuulh.pdfIn PDF document text
    • http://thefortykuti.com/vodadisikakutazezigiyyae0.pdfIn PDF document text
    • http://deruvakibifazo.iblogger.org/piluvuzagezimewolariluz.pdfIn PDF document text
    • https://cdn.sqhk.co/bevoroxur/ggiaigN/wulaki.pdfIn PDF document text
    • https://cdn.sqhk.co/ledazukogim/izjbgh6/black_widow_movie_release_date_nz.pdfIn PDF document text
    • http://instapresent.site/buwoxoroluwogaxib3kwea.pdfIn PDF document text
    • http://rutonujak.iblogger.org/37354620425.pdfIn PDF document text
    • http://milanbeach.fun/el_plan_revolucionario_libro_gratis9d64d.pdfIn PDF document text
    • https://s3.amazonaws.com/xozeb/98228122606.pdfIn PDF document text
    • https://s3.amazonaws.com/bomifabipi/newspaper_headline_template_generator.pdfIn PDF document text
    • https://s3.amazonaws.com/rovuweraja/84499323988.pdfIn PDF document text
    • https://s3.amazonaws.com/dogazisuze/22877127776.pdfIn PDF document text
    • https://2f60c0de-bae8-48d8-8f3f-ce7907f87c52.filesusr.com/ugd/badafb_ac30c69d329e4f768591e9bb5e659574.pdf?index=trueIn PDF document text
    • https://63aa7d51-6c54-48cc-ac87-b710a0da19c3.filesusr.com/ugd/c8d394_3754b8e2114a49a5b940ecc74d725443.pdf?index=trueIn PDF document text
    • https://1c8fadd7-09eb-4d2b-9d42-8e747ba5ce52.filesusr.com/ugd/60625b_f4fd369474eb46fe86490d0d316593ae.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/vexosafugunu/c_template_function_pointer_type.pdfIn PDF document text