Malicious PDF — malware analysis report

Static analysis result for SHA-256 5a765c35b1f848b7…

MALICIOUS

PDF

46.1 KB Created: 2021-01-04 05:06:41 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-05
MD5: 68e64bf532c6078cbc7b9021e57a5616 SHA-1: b9a22d5e6e9e93b27186d25155b1f24b3482929f SHA-256: 5a765c35b1f848b71ecf61766e76153639cc22799e82c7b1eec6dfb56828fc80
192 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains embedded links that redirect to malicious infrastructure, specifically identified as a redirector. The document body, though heavily obfuscated, suggests a lure related to a 'solution manual'. The presence of numerous external links, including one pointing to a known malicious redirector, indicates an attempt to drive traffic to malicious sites, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6591

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffine.ru/123?utm_term=wayne+winston+operations+research+solution+manual In PDF document text
    • https://buzapakamewogu.weebly.com/uploads/1/3/4/3/134366326/9579280.pdfIn PDF document text
    • https://cdn.sqhk.co/mozedizupi/f6beIjc/54165058674.pdfIn PDF document text
    • https://s3.amazonaws.com/vizegemawokaxe/zowokaposaxof.pdfIn PDF document text
    • https://s3.amazonaws.com/xisakazelelinim/martyrs_of_marriage_full_documentary.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c4dd02a6-84bb-4d6b-b370-5a9b98a6fb29/53311550598.pdfIn PDF document text
    • https://s3.amazonaws.com/gedimuta/mesemagogige.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ae55900e-9c23-4c89-83b5-ad4643aa0703/sweeney_todd_costume_shirt.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/dfebb179-7844-416d-a44e-47ac34fd9edb/new_jersey_notary_public_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a0cc8aab-1972-4428-bcfa-f50d81fa3a81/mens_lapel_pins_uk.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/91f27c0d-3b60-4397-896d-86c99c82b0b7/beverly_hills_chihuahua_chloe.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f5568745-b654-4e4b-b067-0afe429209ee/fallout_4_strategy_guide.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6deb4e1d-6488-4903-bc89-e57995835560/66828384725.pdfIn PDF document text