Malicious PDF — malware analysis report

Static analysis result for SHA-256 94107f4e21f23584…

MALICIOUS

PDF

138.9 KB Created: 2022-06-12 09:36:11 +02:00 Authoring application: valgab (via PDF Master 1.0.1) First seen: 2026-06-12
MD5: 0c42abbf7fe23a6f4b2da7b98c856523 SHA-1: bfdacd758471f64bb4ea5246b4ba038fbf3427ef SHA-256: 94107f4e21f235844687eed97a29964f89fec1f93dfb9aae283b47a7bda81bfb
134 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, many of which point to cracked software or are algorithmically generated. This suggests a link farm designed to lure users into downloading potentially malicious files or visiting compromised sites. The presence of multiple PDF_SEO_LINK_FARM and PDF_CRACKED_SOFTWARE_LURE heuristics strongly indicates this malicious intent.

Machine Learning

  • Nyx PDF Classifier clean score 0.0008

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • PDF link farm advertises cracked/pirated software medium PDF_CRACKED_SOFTWARE_LURE
    PDF contains many clickable links whose targets use cracked-software, keygen, serial-key, or warez vocabulary. These are SEO-spam lure documents that rank for software-piracy searches and route users to fake 'crack' download pages distributing potentially-unwanted programs, adware, or droppers. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://evacdir.com/embryonic/ZG93bmxvYWR8RDl5Wm1KbGJueDhNVFkxTkRrNE9URTJNbng4TWpVNU1IeDhLRTBwSUZkdmNtUndjbVZ6Y3lCYldFMU1VbEJESUZZeUlGQkVSbDA.QW1wbGUgU291bmQgQWJqIDIgS2V5Z2VuIDU3IGFnZ2lvcm5hbWVudGkgcG93ZXIgbmF0aW9uYWwgY29zdGkQW1?blusher=/defray/constructivism/satelite PDF link annotation
    • https://jujitsu.pl/huawei-g730-u00-network-error/In PDF document text
    • https://www.cdnapolicity.it/wp-content/uploads/2022/06/MeldaProduction__MAudioPlugins_1206_VST_VST3_AAX_x86x64_64_b.pdfIn PDF document text
    • https://www.onk-group.com/eagleget-2-1-6-20-portable/In PDF document text
    • https://cambodiaonlinemarket.com/?p=11700In PDF document text
    • https://img1.rapidleaks.com/2022/06/HD_Online_Player_Andaaz_Full_2021_Movie_Hd_1080p_265.pdfIn PDF document text
    • https://kireeste.com/how-to-crack-rpg-maker-vx-ace-english-patch-updated/In PDF document text
    • https://www.repaintitalia.it/chrysler-dodge-jeep-navigation-dvd-05064033al-rar/In PDF document text
    • http://www.healistico.com/wp-content/uploads/2022/06/keisho.pdfIn PDF document text
    • http://bookmarkwebs.com/upload/files/2022/06/QMdrsnYuoGIBk5KDvgDu_12_a5923dd54858c1d2861ba5e1f870dda5_file.pdfIn PDF document text
    • https://www.facebisa.com/upload/files/2022/06/J8kcZ8xxhGOxX4cAdDxs_12_2abeb73035aa313d7fae69d66ac91a29_file.pdfIn PDF document text
    • http://fitadina.com/?p=108625In PDF document text
    • https://www.bigaticaret.com/wp-content/uploads/2022/06/asctimetableregistrationcodekeygenidm.pdfIn PDF document text
    • http://defisociety.com/?p=12674In PDF document text
    • https://www.vclouds.com.au/quarteroni-sacco-saleri-matematica-numerica-pdf-top/In PDF document text
    • http://epicphotosbyjohn.com/?p=7864In PDF document text
    • https://volektravel.com/data-rescue-2-crack-mac/In PDF document text
    • https://wearebeachfox.com/wp-content/uploads/2022/06/Baixarativadordowindows8probuild920012_VERIFIED.pdfIn PDF document text
    • https://marketmyride.com/realflight-expansion-packs-add-ons-crack/In PDF document text
    • https://www.corsisj2000.it/macdrive-10-serial-number-keygen-hot/In PDF document text
    • http://www.ecomsrl.it/sage-50-accounting-2015-exclusive-cracked/In PDF document text
    • http://www.tcpdf.orgIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://www.aiim.org/pdfa/ns/extension/In PDF document text
    • http://www.aiim.org/pdfa/ns/schema#In PDF document text
    • http://www.aiim.org/pdfa/ns/property#In PDF document text
    • http://www.aiim.org/pdfa/ns/id/In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00000e40.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xE40 120140 bytes
SHA-256: a217f12862e0ff75203bdd4136ca0d68471050be46bb09aed5306898926ffdd4
stream_009_off0001af80.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1AF80 119072 bytes
SHA-256: df221e87b81d1531cafdadb6c09a602e9f604d1baf0a17bbd350cbb83baa06f7

Open this report in the interactive analyzer, or submit your own file for analysis.