PDF malware analysis — malicious · 9c77d4f53ac365a4

MALICIOUS

PDF

64.2 KB Created: 2021-01-09 02:27:27 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-05

MD5: 7775cd6aea7d56cd0d2fa85484a64074 SHA-1: 245782c29240066cf3d17959432db725e188e4ee SHA-256: 9c77d4f53ac365a4a6146b0bb8d4cdcefb35e87b5ab33c333eff31921834f9b6

254 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by multiple heuristics and an ML classifier, indicating it is a phishing or malware distribution attempt. It contains numerous links, including one pointing to a known malicious redirector, likely intended to lead the user to a fraudulent site or download a payload. The presence of embedded URLs and the nature of the heuristics suggest a phishing attack leveraging a lure related to a popular product.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK

PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://traffine.ru/123?utm_term=walmart+iphone+charger In PDF document text
- https://mukeluxera.weebly.com/uploads/1/3/4/5/134528716/nukafedegelowogox.pdfIn PDF document text
- https://nunevebola.weebly.com/uploads/1/3/4/8/134846747/wovose-dunexu.pdfIn PDF document text
- https://cdn.sqhk.co/mugejufunij/iiCEfet/59661156977.pdfIn PDF document text
- https://cdn.sqhk.co/puwukuwos/Qgegcjj/37073219494.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/82c9181e-d0c9-4767-b592-e191691ee38a/78500363141.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b44079d9-afab-460c-aa64-d838b94287a2/pewajobizuputobupujar.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c45597b1-22ac-4891-a719-fdfbe2897e74/fojitoguf.pdfIn PDF document text
- https://s3.amazonaws.com/dugibabafod/everstart_battery_charger_6811a_manual.pdfIn PDF document text
- https://s3.amazonaws.com/sulasatevirexo/authentication_failed_firebase_android.pdfIn PDF document text
- https://s3.amazonaws.com/firudegix/tadidugofez.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2f8f8c87-e73e-42d6-9264-7ec0bcd2d707/indoor_skydiving_las_vegas_reviews.pdfIn PDF document text
- https://s3.amazonaws.com/wexukufedepim/wujawom.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7350a9da-304d-4fe2-9572-2e38d9df7d8a/zulosamotetepodope.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b7807827-36a5-4184-b81f-395d8c3c79b8/weather_today_hourly_nj.pdfIn PDF document text
- https://s3.amazonaws.com/pazifetanegapu/calvin_and_hobbes_full_collection.pdfIn PDF document text
- https://s3.amazonaws.com/juwofuxufijup/amazon_sql_interview_questions_and_answers.pdfIn PDF document text
- https://s3.amazonaws.com/timeziso/free_minecraft_download_apk_for_xbox_one.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000bfe0.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xBFE0	5184 bytes
SHA-256: `770de802962f582d3612f25c0dbd1df67580cc424301e4a3930a4df959543960`
`font_01_sfnt_off0000d166.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD166	10740 bytes
SHA-256: `32b2c9d6950344792135c2e726950db313a1a533b08027b66b2253490b1c3010`

Open this report in the interactive analyzer, or submit your own file for analysis.