Malicious PDF — malware analysis report

Static analysis result for SHA-256 64af77217c18d11a…

MALICIOUS

PDF

406.6 KB Created: 2020-11-08 02:56:28 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-04
MD5: bd4b7acd1c48cf14e60b5b250c7799d1 SHA-1: 25ec00ba42d61bc7500f4594a4048fc83d3b04c9 SHA-256: 64af77217c18d11a7e4a0118f45eb8e6c3b015894f36eb108ffcf3f1dd4a13ce
74 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a lure related to a "Trinco dry blast bp36 manual" and includes a high-confidence heuristic firing for a PDF SEO UTM redirector link. This link, https://trafffe.ru/aws?keyword=trinco+dry+blast+bp36+manual, is likely used for phishing or malware distribution. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9901

Heuristics 3

  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffe.ru/aws?keyword=trinco+dry+blast+bp36+manual PDF link annotation
    • https://newejata.weebly.com/uploads/1/3/3/9/133999860/jurove.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368732/normal_5f89536dca776.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369511/normal_5f8c45832d1a7.pdfIn PDF document text
    • https://defifipak.weebly.com/uploads/1/3/4/4/134442047/wigebadidulok_savegeb_fusefoti_pegoparo.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368976/normal_5f9bbb520471c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369512/normal_5f8ea0b183e1f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4426088/normal_5f9d7a1ac832d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4378410/normal_5fa4b50a363e5.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366316/normal_5f8736a6c0088.pdfIn PDF document text
    • http://fontawesome.iohttp://fontawesome.io/license/In PDF document text
    • https://s3.amazonaws.com/tenunud/loading_guide_poles_for_boat_trailers.pdfIn PDF document text
    • https://fisibit.files.wordpress.com/2020/11/atari_breakout_i_m_feeling_lucky.pdfIn PDF document text
    • https://nerofisela.files.wordpress.com/2020/11/70577852582.pdfIn PDF document text
    • https://nosajal.files.wordpress.com/2020/11/the_divine_iliad.pdfIn PDF document text
    • https://tirutijupez.files.wordpress.com/2020/11/fepag.pdfIn PDF document text
    • https://xefosoxawa.files.wordpress.com/2020/11/break_even_analysis_in_management_accounting.pdfIn PDF document text
    • https://wimosera.files.wordpress.com/2020/11/miluvi.pdfIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00064778.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x64778 3108 bytes
SHA-256: 256af3f1c4266c6ced81caa97e713af1b95f17f99e1b80f4e6e06e6e030407ae

Open this report in the interactive analyzer, or submit your own file for analysis.