Malicious PDF — malware analysis report

Static analysis result for SHA-256 9e9fed25ade54011…

MALICIOUS

PDF

26.0 KB Created: 2020-11-07 20:45:08 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-04
MD5: a9011406e33571380e22c305949f6647 SHA-1: 1de3e88021e7b9565408490889d4e002221e0f2e SHA-256: 9e9fed25ade540114596e63d6497ada257b7964b1c3bb1ae233de34d4da89679
74 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URL that points to a suspicious domain, likely intended to redirect the user to a malicious site. The ML classifier also flagged this PDF with high confidence. While no scripts were explicitly extracted, the presence of embedded URLs and the overall suspicious nature of the PDF suggest an attempt to exploit user interaction for malicious purposes, possibly as a lure for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9954

Heuristics 3

  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffe.ru/aws?keyword=exo+greek+root+meaning PDF link annotation
    • https://mabanopovofed.weebly.com/uploads/1/3/1/4/131453130/6624805.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368505/normal_5fa3ea466004a.pdfIn PDF document text
    • https://katolafafesol.weebly.com/uploads/1/3/4/4/134479470/3276670.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4381344/normal_5f8e3767d846e.pdfIn PDF document text
    • https://vuvopovakufusoz.weebly.com/uploads/1/3/4/3/134342968/50f5ed278c405b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4421210/normal_5f974e523741f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4459777/normal_5fa1adc8c6af2.pdfIn PDF document text
    • https://raralulewuk.weebly.com/uploads/1/3/4/4/134478892/dabogonoselaz.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://kiwowet.files.wordpress.com/2020/11/4633397285.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000055f5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x55F5 4884 bytes
SHA-256: 80d56712d508640333cb9f4b978e7749bb97c346a6fac9be7347c1bfd9f60c54

Open this report in the interactive analyzer, or submit your own file for analysis.