PDF malware analysis — malicious · a26d0734354b10c2

MALICIOUS

PDF

69.2 KB Created: 2020-12-22 01:26:33 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-05

MD5: 7528f598c4f76b7282e2b650f1e088af SHA-1: d2ab77dce83afab8f6ad2096bb67ba624844a650 SHA-256: a26d0734354b10c28fe584531eb54644eabd20516e09d5602858d7abde71a6c7

254 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous links to redirector infrastructure, specifically pointing to 'traffmen.ru' with a lure related to a game hack. This indicates a phishing attempt designed to trick users into visiting malicious sites. The ML classifier and ClamAV detection strongly support its malicious nature, classifying it as a phishing trojan.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK

PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://traffmen.ru/strik?utm_term=super+stickman+golf+3+hack+apk In PDF document text
- https://cdn-cms.f-static.net/uploads/4381788/normal_5fc2b7a34f3bb.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4496404/normal_5fca297a88639.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4420586/normal_5fb298d96d22b.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4492915/normal_5fc53212a9357.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4458122/normal_5fb9145a3d392.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4365586/normal_5f880a268ae18.pdfIn PDF document text
- https://tupipukevoluda.weebly.com/uploads/1/3/4/0/134041298/jesasuzu.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://uploads.strikinglycdn.com/files/a9ad64ba-540c-4b9b-bdbd-45336839a36b/71077625938.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc174bcc89e1c4b8fc25c90/t/5fc8f9701042084a509cda8a/1607006577734/xodetuxit.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/78c82424-cf66-4ee0-b0fe-2bb080d82405/45388171536.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6e2c7225-3315-4e29-b0e1-239991a243d6/26901713161.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1cb3bda8-2277-4bd4-9050-cfad9e268426/56487986371.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/018509a6-3150-4774-bb47-05620011a1d0/40_times_escape_level_35_answer.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fdf60e57-b970-4f07-8066-918d1b0e0aff/mxq_pro_4k_6.0_review.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b9593a14-c43e-4f96-bc7f-6b024d205a9d/93088288762.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000b9c1.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB9C1	5640 bytes
SHA-256: `cef192de80914d635e298a3f77077c2267cb92d778da31ce9cb981b756caf2b3`
`font_01_sfnt_off0000cccb.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xCCCB	14316 bytes
SHA-256: `43c0db5a4151d8cf4b7b724f9fce0f5e899e100d932ddee1e617a04170c5b10e`
`font_02_sfnt_off0000f9e2.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF9E2	4324 bytes
SHA-256: `1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e`

Open this report in the interactive analyzer, or submit your own file for analysis.