Malicious PDF — malware analysis report

Static analysis result for SHA-256 7500477ee0446733…

MALICIOUS

PDF

16.6 KB Created: 2020-10-30 21:34:15 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-05
MD5: 08df840fa5a5d347f3d632bc04d583d0 SHA-1: 833aecb54d4bdc121ac094d6564d86337c6e3f88 SHA-256: 7500477ee0446733f427d59646bd4e555b8008767f51cbedfaee13a9c9e63863
192 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains multiple links to redirector domains, including a critical finding of a malicious redirector link. The document body, though heavily obfuscated, contains the same suspicious URL found in the heuristics. This indicates a likely phishing or malware distribution attempt by directing users to malicious infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9981

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/aws?keyword=area+code+77507 In PDF document text
    • https://cdn-cms.f-static.net/uploads/4373240/normal_5f9757b1c8a6a.pdfIn PDF document text
    • https://vuvofazomegudej.weebly.com/uploads/1/3/4/3/134329778/sipugujej.pdfIn PDF document text
    • https://jewuvasoseximu.weebly.com/uploads/1/3/4/3/134355154/nibudutagomujed.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4385435/normal_5f91f9442b87b.pdfIn PDF document text
    • https://s3.amazonaws.com/fadedosi/no2_polar_or_nonpolar.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8f7e2810-9551-44f5-b0c6-e7d1550259f9/9341405453.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0480/3022/0447/files/70474027590.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c468990f-8934-44a0-bfc3-0d544a0003b3/pivekizezujele.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b95cb4eb-997a-4f55-abf1-585d4399c60f/xebezonopiso.pdfIn PDF document text
    • https://s3.amazonaws.com/pesetufavo/plate_tectonics_multiple_choice_test_answers.pdfIn PDF document text
    • https://s3.amazonaws.com/sugosubexez/zidulozudoredo.pdfIn PDF document text
    • https://s3.amazonaws.com/sukedil/aroma_rice_cooker_recipe_book.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d0e11bdc-e929-4e6e-895e-2430d721c120/susopasaxidiwux.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2f5171c2-a97b-4c67-ae25-8802eddb3879/dsc_alarm_system_manual_z823.pdfIn PDF document text