Malicious PDF — malware analysis report

Static analysis result for SHA-256 a4f2b7bfe403b3b2…

MALICIOUS

PDF

44.4 KB Created: 2020-10-25 23:53:08 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-07-01
MD5: 311e22d489eaf6a301517194b54ef830 SHA-1: a1c15ff3fa0eed1c38d8357257f16e8c40c98fd3 SHA-256: a4f2b7bfe403b3b2834cb281eecb83b0a06e4229462f7f2126424cbbd11a4d7f
134 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/wb?keyword=bixler%202%20manual In PDF document text
    • https://cdn-cms.f-static.net/uploads/4367273/normal_5f95ba3fe1124.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4393346/normal_5f90ebc806cbd.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366377/normal_5f886a577c158.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366312/normal_5f89e6cfe3541.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4382209/normal_5f8c23a43b73a.pdfIn PDF document text
    • http://www.opentle.orgIn extracted file (stream_005_off00006460.bin)
    • http://www.ascendercorp.com/In extracted file (font_00_sfnt_off000053db.bin)
    • http://www.ascendercorp.com/typedesigners.htmlIn extracted file (font_00_sfnt_off000053db.bin)
    • https://uploads.strikinglycdn.com/files/bc6b03d5-a61f-4811-983d-990691013490/temazugagutejonujotovu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bf660d72-e236-43c7-adac-0c3629c626d5/zitipinivejediz.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ab4e8af7-aa9c-4845-9bcd-7ffe7ed6d83a/dunivebipesasedoxa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5107c24b-aedb-48c0-b631-3ac6a6a46cc3/kusonixu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/07b87848-ec9d-4bb6-be37-0e00c032b54e/kizudasoxotivi.pdfIn PDF document text
    • https://s3.amazonaws.com/luramamelolem/alimentos_anticoagulantes.pdfIn PDF document text
    • https://s3.amazonaws.com/bubisifapagefe/antinomien_helsper.pdfIn PDF document text
    • https://s3.amazonaws.com/gupuso/bonuvifo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/323c73fd-dfc7-4bb0-96a9-8dfbff96562f/35030709556.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a9262a42-1816-4d22-8940-e07069a912c9/nelson_denny_reading_test_study_guide.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e11e63b8-b6da-44b8-aab0-fa7f87a51c38/ppsspp_games_android_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d3a5552f-4b3e-4f1b-b4ea-d2880d9201a7/burkes_outlet_job_application.pdfIn PDF document text
    • https://s3.amazonaws.com/zupenafud/basic_laws_boolean_algebra.pdfIn PDF document text
    • https://s3.amazonaws.com/fatikonavori/4267701306.pdfIn PDF document text
    • https://s3.amazonaws.com/zetare/wizevivulosupitopopiku.pdfIn PDF document text
    • https://s3.amazonaws.com/gupuso/23527879354.pdfIn PDF document text
    • https://s3.amazonaws.com/leguvefu/deconstructivismo_arquitectura.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://www.gnu.org/licenses/gpl.htmlIn extracted file (stream_005_off00006460.bin)
    • http://scripts.sil.org/OFLIn extracted file (font_00_sfnt_off000053db.bin)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off00006460.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6460 10932 bytes
SHA-256: 65949ab0792315e5924ebdd43353a5a966af49c912c4b578831048e0e6ca3fa6
font_00_sfnt_off000053db.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x53DB 4904 bytes
SHA-256: 2412f16ec7ed7d24d1d6cc854f7b370f27b710ca4cb22fc2f0f678028cc1718d
font_02_sfnt_off0000837e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x837E 9428 bytes
SHA-256: beb8df71463ef79b1a3a37067456b09afd751f48eb37c9729623cdd06f54a563