PDF malware analysis — malicious · c029db429f3c3c95

MALICIOUS

PDF

70.2 KB Created: 2020-12-16 05:08:15 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-05

MD5: a07e92108c3b43d317d5251b3cd7465d SHA-1: 9c54fb025b4a3e77454bd112d22ed30cc91c31e1 SHA-256: c029db429f3c3c952b5b2f68dd29b284fd9bef3a216ca5277629e0395622d24b

254 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous links to SEO redirectors, with a primary link pointing to 'traffmen.ru', which is flagged as a malicious redirector. The document body, though heavily obfuscated, contains text related to 'Android file manager software for pc', suggesting a lure for downloading software. The ML classifier and ClamAV detection strongly indicate malicious intent, likely phishing or malware distribution.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK

PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://traffmen.ru/wb?keyword=android%20file%20manager%20software%20for%20pc In PDF document text
- https://cdn-cms.f-static.net/uploads/4382430/normal_5f92517834985.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4485927/normal_5fa7945202bb1.pdfIn PDF document text
- https://jinugavov.weebly.com/uploads/1/3/4/4/134438703/f4f74.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4448094/normal_5fbd474d7b462.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4374957/normal_5fbaafb1997be.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://static1.squarespace.com/static/5fc5126227a199023ad04ca4/t/5fc97ef69bc93d20d9a39968/1607040759003/48663249942.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc0d96ebd14ff0dd29c6608/t/5fc27c5d7acac6192a11280f/1606581343531/disetimituj.pdfIn PDF document text
- https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbf5067bc819f1cf4cf1de6/1606373483590/ld_topic_2020_march_april_2020_calendar.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc4c91192c50b1a1e906058/t/5fcce48f6f0099009e639ba3/1607263376644/nazikokozibijekero.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc18716ab79f442f22e10f3/t/5fc717bce2dcb1274de78ca5/1606883261761/name_song_app_android.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc5cd3c27a199023ad6e49f/t/5fc5f1449b1ed03538aad835/1606807876745/snapper_pro_s200xt_operators_manual.pdfIn PDF document text
- https://static1.squarespace.com/static/5fc0e88b8139af0376454bd0/t/5fc3ea803485235c863f1f60/1606675072384/clash_of_clans_th9_attack_strategy_2020.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000c843.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC843	5344 bytes
SHA-256: `1e1461060dcf83c770d21de2c9db8d50ce3add47e6b91c51c88063afb3236234`
`font_01_sfnt_off0000da63.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDA63	10384 bytes
SHA-256: `f2cb9a86642b1b256e17f3b72a9b4dc761ea68c47f10231d8636b8627f6266d8`
`font_02_sfnt_off0000fdd1.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFDD1	4324 bytes
SHA-256: `d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378`

Open this report in the interactive analyzer, or submit your own file for analysis.