Malicious PDF — malware analysis report

Static analysis result for SHA-256 9a3bebbb3559d3ae…

MALICIOUS

PDF

101.6 KB Created: 2021-01-31 21:37:23 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-05
MD5: 4f38f71bdc23a606806b6740bf04e644 SHA-1: cc66610428568f850914fa2f290dba07247e4a54 SHA-256: 9a3bebbb3559d3ae658f20f468288d42e9953dcac50444c1e545d026cb6567e7
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was identified as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains numerous embedded URLs pointing to disposable hosting and link farms, a common tactic for distributing malware or phishing content. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' specifically flags the document's structure as a link farm on disposable hosting, suggesting an attempt to obscure the true malicious destination.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9806

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jottigo.ru/aws?utm_term=arbitration+law+reporter+journal PDF link annotation
    • http://memubalejegezur.66ghz.com/4493219159.pdfIn PDF document text
    • https://razavewi.weebly.com/uploads/1/3/0/8/130813306/419521c458d8.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4471692/normal_5fcfee8d866a6.pdfIn PDF document text
    • https://cdn.sqhk.co/sasibasodiwu/6hdGibE/24103935571.pdfIn PDF document text
    • https://vigenuwotefi.weebly.com/uploads/1/3/4/0/134012497/810124.pdfIn PDF document text
    • http://voseboler.iblogger.org/plot_decimals_on_a_number_line_worksheet.pdfIn PDF document text
    • https://wetolobumusu.weebly.com/uploads/1/3/4/5/134579125/3a57b166.pdfIn PDF document text
    • https://cdn.sqhk.co/kotoweraga/rDjhvgq/wuxedatazapaxidutuxan.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4495849/normal_5fe9c4158cc50.pdfIn PDF document text
    • http://xovekofetovo.66ghz.com/transcribe_audio_to_text_apk.pdfIn PDF document text
    • https://cdn.sqhk.co/jilebodetifa/cZomOlW/cash_app_login_dark_web.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4370077/normal_5fdd02a85e0da.pdfIn PDF document text
    • https://s3.amazonaws.com/pusixa/texisinu.pdfIn PDF document text
    • http://luvibiw.epizy.com/pasumivevenesugetebixebel.pdfIn PDF document text
    • http://putazosaw.epizy.com/letterheads_template_free.pdfIn PDF document text
    • https://s3.amazonaws.com/votubukaxogilix/wovuxuwatomimoxam.pdfIn PDF document text
    • https://s3.amazonaws.com/fupanabivote/full_marks_tamil_guide_class_9.pdfIn PDF document text