Malicious PDF — malware analysis report

Static analysis result for SHA-256 7a0b71b15ae1f67b…

MALICIOUS

PDF

76.2 KB Created: 2021-01-30 01:50:28 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-05
MD5: 0b6009ac50eb6285f4ee579dc7e973d8 SHA-1: 4005338dd8149a5a7832112d9faf8456f26d34f8 SHA-256: 7a0b71b15ae1f67b3529d20bc31f2f0156569264574ae3b4f300534a4261df96
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file exhibits characteristics of a phishing or scam campaign, leveraging SEO tactics and redirectors to host numerous other PDF files. The presence of external URI links and a PDF link farm suggests an attempt to distribute malicious content or lead users to phishing sites. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/123?utm_term=lemonade+mouth+book+pdf+free PDF link annotation
    • https://kuwuvolabakeg.weebly.com/uploads/1/3/1/4/131407812/gejoseni.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4421352/normal_600ade6fce78b.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4409092/normal_5fc5ff6426edb.pdfIn PDF document text
    • https://jajaleregonu.weebly.com/uploads/1/3/4/2/134235513/8058184.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4480880/normal_5fcb719b3931f.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4389830/normal_6005e8ca95b56.pdfIn PDF document text
    • https://zewalomoweso.weebly.com/uploads/1/3/4/5/134588134/8239613.pdfIn PDF document text
    • http://dumanejixaw.66ghz.com/company_authorisation_letter_template.pdfIn PDF document text
    • http://fupomogusi.22web.org/spotify_premium_ios_apk.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4485165/normal_60052e903e9b0.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://werapitagu.rf.gd/konojom.pdfIn PDF document text
    • http://bovinow.epizy.com/commonly_asked_hr_interview_questions_and_answers.pdfIn PDF document text
    • http://wedizakur.epizy.com/69797853065.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d15e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD15E 5216 bytes
SHA-256: 3233488eaa7eb2018638dcb148f7949e66a78535649edfc6f0c53c8c8149f64a
font_01_sfnt_off0000e2ec.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE2EC 9956 bytes
SHA-256: a013f1018e34b92d009a71e51ca347c16b13b119ae681908fe4e2e0d581dcf14
font_02_sfnt_off0001052b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1052B 18372 bytes
SHA-256: 54746f4ff54b1f46fe98660c1f464152a6c16bbbf774d003962f77bef79fe6e1