Malicious PDF — malware analysis report

Static analysis result for SHA-256 a153be5f6bfbe71a…

MALICIOUS

PDF

25.9 KB Created: 2020-11-07 07:35:07 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-04
MD5: f64e1e7007f5a4cf15baaffa0c71b9ec SHA-1: 302dff37ce4d422207d330a020d8433b26461184 SHA-256: a153be5f6bfbe71a28ed9a5f16e0eb18934d90277eec54954fb15a315fc78482
74 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains heuristics indicating it is a malicious SEO redirector, using an image lure to trick users into clicking a link. The primary malicious URL identified is 'https://trafftec.ru/aws?keyword=icivics+answer+key+the+great+state', which is likely used to deliver a secondary payload or conduct a phishing attack. No scripts were extracted, but the PDF structure and URL suggest a common phishing or malware distribution vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 3

  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafftec.ru/aws?keyword=icivics+answer+key+the+great+state PDF link annotation
    • https://gusumadanu.weebly.com/uploads/1/3/2/6/132695601/1145be3e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4380854/normal_5f93c489b43a4.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367624/normal_5f89bdaa95a81.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/b56288ab-f510-4a06-84ed-d2f277911729/namoze.pdfIn PDF document text
    • https://s3.amazonaws.com/fatikonavori/magic_quadrant_for_application_security_testing.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6c254289-d59d-4803-b42a-72df8d1aa487/mamid.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ed93b14a-39fc-4294-9c74-c26fed8c9be1/49592201081.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6c5365c5-a335-4218-a22b-280db1784b95/80350981754.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3d560f95-f35f-497d-8e3e-a9e90604299b/9696359837.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0c97a5d3-7ae0-4241-976b-3b36ec1011da/when_is_resident_match_day_2020.pdfIn PDF document text
    • https://s3.amazonaws.com/xanebavifamopez/kowomepejugovajuwikuzuwan.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000528e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x528E 5284 bytes
SHA-256: 2ccf4fb16a20548f99228f7a6ce72b615d48c351012407b4c03a2bc7b9b85764

Open this report in the interactive analyzer, or submit your own file for analysis.