Malicious PDF — malware analysis report

Static analysis result for SHA-256 793c79567a905324…

MALICIOUS

PDF

80.5 KB Created: 2020-10-17 16:50:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-15
MD5: 83fbf73d23fc4d58a2ee09bad02d047c SHA-1: df101c8dbe97751dbb4b6bfeb22f46f9d9e6742e SHA-256: 793c79567a9053241d6e23b379e59f1d6b361bc72f6d27859717a51b30d7126f
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/strik?keyword=jojo+band+references In PDF document text
    • https://xutewosabog.weebly.com/uploads/1/3/2/3/132303209/cc82c65ca.pdfIn PDF document text
    • https://besavikeneg.weebly.com/uploads/1/3/2/8/132815808/8163316.pdfIn PDF document text
    • https://roninuvanajeg.weebly.com/uploads/1/3/1/3/131379749/5302452.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366321/normal_5f8a452c1fc82.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369310/normal_5f881c1d83efe.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4365624/normal_5f8914e114e93.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369311/normal_5f893d4be04c5.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/685c9607-5ed2-46e5-a75c-c933ede62480/nonovuxozuj.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/96fdefb2-4720-4870-94c9-6319b301c4cb/57154130325.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b73b0ca0-8b82-42c6-8417-0a7bf4819bd0/begasiwa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1cbf5528-1086-4f47-bf60-9e1d6a7fc321/lugemiruguvusa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bc796569-0386-4702-aa5b-0b8e8c007a74/doce_vingana_3_dublado_completo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5e34f5bd-ad8e-49f4-a7fd-c11dd9b85b2c/97007400925.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4cc6fb13-e07a-473d-afae-906b05bdfa1c/73846915254.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0497/2239/2737/files/it-201_form_2018_fillable.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0492/8028/6876/files/tilejapof.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0437/7778/6018/files/overhead_door_model_2026_homelink.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0430/8389/0850/files/barriers_to_entry_in_monopoly.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0481/5916/2521/files/10056666141.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0486/9639/3878/files/asterix_the_gaul_french.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0433/7090/5750/files/cod_boz_apk_obb.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e342.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE342 7060 bytes
SHA-256: 54d0c22044cf19db3fdcca1efedc18cb0312fd579eebaac1dad645724cf5d582
font_01_sfnt_off0000fb26.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFB26 5188 bytes
SHA-256: 692a669d0de7199ea7788f2212681889f1d3056df50621684f599a99e156d211
font_02_sfnt_off00010cd8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10CD8 11664 bytes
SHA-256: 6116975404f7485fc9d52c3c53b4d2b3f5d0cc636acd201f84743f3c49153b00