Malicious PDF — malware analysis report

Static analysis result for SHA-256 7ec5439c282ab7e9…

MALICIOUS

PDF

27.3 KB Created: 2020-09-13 15:51:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-05
MD5: 2230c7be9561759922ba3b17123ea36c SHA-1: f0c6752765a3deff9a48565ac7071ebfe3867015 SHA-256: 7ec5439c282ab7e9d60a9ad43b50de4bca14b74a3c2321470809b508d063e368
232 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous links designed to appear as search results or legitimate documents, but they redirect to malicious infrastructure. Specifically, the link 'https://ttraff.com/wix?keyword=fedders+window+air+conditioner+replacement+parts' is identified as a malicious redirector. This pattern suggests an attempt to lure users into clicking malicious links, likely for phishing or to download further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9985

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=fedders+window+air+conditioner+replacement+parts In PDF document text
    • http://rumun.privatecounsellingandmediation.com/uploads/1/3/0/7/130775565/6f575.pdfIn PDF document text
    • http://vipowoxoz.pioneervalleykennelclub.com/uploads/1/3/2/3/132302842/zonadonan-kotemafidu-komolibur.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://static.usrfiles.com/ugd/b28ae2_b7cbeb096977489a8f0c1584f99bdb72.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/97368a_3d685c8de3d8422a8ee1746597fe6d30.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/4c76bf_a4cae0fcc1c6426e86ec1e03290885e2.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/418e76_8959b7e1321142c8b53db5c6dc86cd72.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0429/8758/5699/files/kanobasuvipujavowiredupaf.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0438/7844/9307/files/cracked_minecraft_1._14._2.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0435/0771/2155/files/99468484792.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0440/2846/1206/files/maplestory_4th_job_advancement_level.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0433/4272/5275/files/estilo_apa_bibliografia.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0438/9113/0536/files/r_statistical_software.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0432/3095/3630/files/wisufid.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0438/9113/0536/files/gastroenteritis_akut_idai.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004871.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4871 5052 bytes
SHA-256: 092db1cf6a923a0e55279d4990ac1d8d95c6635b6485ae4351a6cc3f034fb002