Malicious PDF — malware analysis report

Static analysis result for SHA-256 a8c1548816120828…

MALICIOUS

PDF

58.6 KB Created: 2021-02-26 23:12:09 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-05
MD5: ccbfefb1ee82ac598ce4c9c7bd77fd30 SHA-1: 837bf287ac8523931d690598ee4243e874e22b29 SHA-256: a8c1548816120828ee1ecb419220eef4302bb3dfbad433d0baa4463280c01298
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of external links, with a critical heuristic identifying it as a 'PDF_SEO_LINK_FARM'. One of the primary external URIs points to 'gimoguvi.ru', and another suspicious link is 'xariketixagat.mypressonline.com/fapamozi.pdf'. The ML classifier and ClamAV detection further support the malicious nature of this file, suggesting it's a phishing or trojan disguised as a document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6845

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gimoguvi.ru/award?keyword=vicks+starry+night+humidifier+use+without+filter PDF link annotation
    • http://xariketixagat.mypressonline.com/fapamozi.pdfIn PDF document text
    • http://veselutut.mywebcommunity.org/55125643634.pdfIn PDF document text
    • http://pofaduxiruk.getenjoyment.net/32402982121.pdfIn PDF document text
    • https://meripowubizaj.weebly.com/uploads/1/3/5/9/135959363/lewutetigas-tobuwitire-vavodebul.pdfIn PDF document text
    • http://kiwenalod.medianewsonline.com/pumivekogogim.pdfIn PDF document text
    • http://lumobumekola.getenjoyment.net/xapolixu.pdfIn PDF document text
    • https://xubivolimoba.weebly.com/uploads/1/3/0/7/130740090/lumetuviwisosimakeg.pdfIn PDF document text
    • http://wadoromutisagar.myartsonline.com/93142608516.pdfIn PDF document text
    • http://sulijugofogim.onlinewebshop.net/what_age_group_is_the_hobbit_for.pdfIn PDF document text
    • https://s3.amazonaws.com/leteraxewe/texto_descriptivo_caracteristicas.pdfIn PDF document text
    • https://s3.amazonaws.com/kotodur/x_plane_simulator_free.pdfIn PDF document text
    • http://mitotubuxabax.epizy.com/lexmark_ms310dn_toner_chip_reset.pdfIn PDF document text
    • https://s3.amazonaws.com/mejigavukolu/epileptiform_discharges_in_electroencephalogram.pdfIn PDF document text
    • https://s3.amazonaws.com/pazatuv/168518526.pdfIn PDF document text
    • https://s3.amazonaws.com/bidemewufa/latest_firefox_browser_for_windows_7.pdfIn PDF document text
    • http://refusunono.onlinewebshop.net/star_wars_unlimited_power.pdfIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.