Malicious PDF — malware analysis report

Static analysis result for SHA-256 773527286591f3f4…

MALICIOUS

PDF

52.4 KB Created: 2021-03-23 07:19:49 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-05
MD5: 8a656d96daf91c94d3166cfbf2dfaa3e SHA-1: 1b1517db74f32b1e214f5a779fd5632775fbfd8a SHA-256: 773527286591f3f404ee1038b623e44c1253235c5cde77fbcebc2e17392563f8
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was identified as malicious by ClamAV and an ML classifier. It functions as a link farm, containing numerous external URLs, with one prominent URL being `https://lozipotod.ru/strik?utm_term=saxon+math+course+3+teacher+edition+answers`. The presence of a link farm suggests an attempt to direct users to potentially malicious websites for phishing or malware delivery, aligning with the characteristics of a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9372

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/strik?utm_term=saxon+math+course+3+teacher+edition+answers PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4375339/normal_60112e6cd94a0.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4466386/normal_5fdd9409498a3.pdfIn PDF document text
    • https://jeripakituwimug.weebly.com/uploads/1/3/2/6/132695489/vevud-lowewokexumajo-dibugaf.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4499999/normal_6048df049ab35.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4373526/normal_602151bc1087b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4477369/normal_604f18180ed22.pdfIn PDF document text
    • https://tovakuroxi.weebly.com/uploads/1/3/1/1/131164121/d4624.pdfIn PDF document text
    • https://a50dbba5-e4fd-40cc-afa9-a45495a5accf.filesusr.com/ugd/7f929b_20c04b4d1d874f7e8b2f53b7168407d3.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/wupagivoz/44061041084.pdfIn PDF document text
    • https://76bf09fe-c378-4d6f-baa9-beaf48595a8b.filesusr.com/ugd/61567a_0deadb024d2f451280d2f319db8cbe5f.pdf?index=trueIn PDF document text
    • https://9eaa565e-fb97-40b4-b096-d6760803f699.filesusr.com/ugd/55e2c6_6d30a345068949a0883b2f8ff5ecb2f8.pdf?index=trueIn PDF document text
    • https://b9a4c3d6-4ccf-4d04-9b0f-c2e9c357e15d.filesusr.com/ugd/e5cbe5_90b65f842c204fc89513b195571d17d1.pdf?index=trueIn PDF document text
    • https://b4140449-9b96-4148-8619-c9b3eed7b48c.filesusr.com/ugd/c33cdb_47829b7f0baf4fc1a2e2dc7c120374b9.pdf?index=trueIn PDF document text
    • https://5610d23c-e099-485d-ada5-1c5fec8f01b3.filesusr.com/ugd/97e063_809c4c5d8fe046b29cf330f0cd74ca1b.pdf?index=trueIn PDF document text
    • https://cb70cc59-2297-49c3-b7e2-2ac7e26e28d4.filesusr.com/ugd/4479ed_ed2125fb0f244f2a9b7d0bd3901798bd.pdf?index=trueIn PDF document text
    • https://d12d056d-c16f-42d2-bb36-b12dbd13f8e5.filesusr.com/ugd/a2005d_ac5f4b7b0e894d5fbdceb186ab78bdb6.pdf?index=trueIn PDF document text
    • https://e0f910ba-f4aa-4d6b-87f6-24d78cda99ab.filesusr.com/ugd/cc15ef_97f84a91f5b44f12ab67baecf48fa074.pdf?index=trueIn PDF document text
    • https://84d5b3ab-51dd-4312-87b7-51df18fb3b26.filesusr.com/ugd/9ea9b6_83fbae4215284f05b73c312b5b2a3bd0.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/xukirizugukugi/88927663129.pdfIn PDF document text
    • https://bac325b5-3710-4a60-ba01-c1ac5e8a7650.filesusr.com/ugd/c111de_b2286516c4a94cd383637d7637102b4c.pdf?index=trueIn PDF document text
    • https://0f8fedcd-12c0-4678-86f8-e2bff7269121.filesusr.com/ugd/70e7d4_c4718706d04d44649f0d3126f571fed9.pdf?index=trueIn PDF document text