Malicious PDF — malware analysis report

Static analysis result for SHA-256 8231964cf37dd2cb…

MALICIOUS

PDF

41.4 KB Created: 2021-01-11 23:28:16 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-05
MD5: b06daca8d4785102dc1f0ec08c412a5c SHA-1: e40421022f6230b83b73edce8ef618020b43b649 SHA-256: 8231964cf37dd2cba46cbb8896e842e324430c0b44e66395b9c0c23b4c7cca6c
182 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file contains numerous links to disposable hosting domains, with one prominent link directing to a known malicious redirector. The document body, though heavily obfuscated, appears to be a lure related to flight information. The presence of embedded URLs and the ML classifier's high confidence score indicate a malicious intent to redirect users to potentially harmful content or initiate further infection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9297

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/aws?utm_term=flight+arrival+information+san+diego In PDF document text
    • https://site-1179316.mozfiles.com/files/1179316/anime_plunderer_wikipedia.pdfIn PDF document text
    • https://site-1172860.mozfiles.com/files/1172860/67205444474.pdfIn PDF document text
    • https://site-1167950.mozfiles.com/files/1167950/fallout_new_vegas_terminal_hack_cheat.pdfIn PDF document text
    • https://site-1172683.mozfiles.com/files/1172683/dragon_quest_11_ps4_vs_switch.pdfIn PDF document text
    • https://site-1178332.mozfiles.com/files/1178332/hamster_cancer_life_expectancy.pdfIn PDF document text
    • https://site-1168191.mozfiles.com/files/1168191/one_block_skyblock_for_minecraft_pocket_edition.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4382629/normal_5ffb4e4a7ddd5.pdfIn PDF document text
    • https://site-1178518.mozfiles.com/files/1178518/84172691228.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4384164/normal_5fd639fc96f60.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4392453/normal_5ff454fe6ed76.pdfIn PDF document text
    • https://lewutiresapilo.weebly.com/uploads/1/3/4/5/134594640/292260.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4384036/normal_5fd7b4c1a3a86.pdfIn PDF document text
    • https://buliduxefexefux.weebly.com/uploads/1/3/1/6/131636978/waluwuwudof.pdfIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.