Malicious PDF — malware analysis report

Static analysis result for SHA-256 a849e20f23a22790…

MALICIOUS

PDF

37.6 KB Created: 2020-10-23 23:12:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-05
MD5: b981589492b5732bd43b288b8829d14b SHA-1: 06a5a94c079ffc842f788771478d7c3d07eb7619 SHA-256: a849e20f23a227908b96457322ec155de7e6209c60e5cf484f5286cc1aecd000
192 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous links to external resources, many of which are part of a link farm designed to appear as legitimate document downloads. The primary link redirects to a known malicious domain, suggesting a phishing or malware distribution attempt. The document body, though heavily obfuscated, contains the same lure text and URLs found in the heuristics, reinforcing the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9989

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/aws?keyword=abstract+reasoning+questions+with+answers+pdf In PDF document text
    • https://cdn-cms.f-static.net/uploads/4366653/normal_5f881f166098e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369165/normal_5f880599e4561.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369486/normal_5f880ffd49a5d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366047/normal_5f88976c5efab.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4373516/normal_5f9227330a422.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/c87cee88-1ea4-4ed0-a24a-b63aeb4df7f0/wazisugepekaviweneximiru.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c39083fb-76e1-458c-b7d4-523d6b76faa8/zedesofusimajetebose.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/90ed799b-3540-4350-b9b0-c790582a2c43/96831242939.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f763a7ab-9555-4559-b9eb-57ae266f4947/66845203422.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/88c96e56-ef05-4e85-b3f3-f3a473d6fdc7/12838759409.pdfIn PDF document text
    • https://s3.amazonaws.com/henghuili-files2/24791939829.pdfIn PDF document text
    • https://s3.amazonaws.com/zetare/zazerejezime.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8b4a80a7-561e-4d2e-b7f6-beb169983f71/laxobuxifazasaxegunob.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/649e85dd-06c1-49fe-bea8-999620c959d8/67891552083.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1b9c02df-823c-492e-86b5-732caf8344df/75940245948.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d625187e-19ed-453d-b740-c6a17e1f8135/rovekaxepeno.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/45c14f2b-51b8-4860-a74f-c56a2a0d4744/28978435859.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0479/3771/6391/files/alimentacion_de_la_cultura_mixteca.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0482/3977/1802/files/48488447795.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0268/8172/0515/files/fossil_shark_teeth_guide.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/18aa71f0-4df6-4fe9-a668-8bfa4fccdd70/relasetelekovesovogowogo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ee07df3f-e74a-40d7-ab5d-0ee67ed4fe4c/44181578062.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/941c9e75-d576-45bb-8abf-4d0c0165e230/bovefoz.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007e0c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7E0C 5732 bytes
SHA-256: c73d99e58603ef468cabfc2b3bb82f27252de5682928fd9619fd9d39c6a0391e

Open this report in the interactive analyzer, or submit your own file for analysis.