Malicious PDF — malware analysis report

Static analysis result for SHA-256 c54665755a146f35…

MALICIOUS

PDF

39.0 KB Created: 2020-10-12 02:20:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-05
MD5: c97c64a2cb884f3289fc1d6481287464 SHA-1: a1856b9ce596b0640024faf090168fdfe79e34ef SHA-256: c54665755a146f35da61893f46023cedec93fc081d6341feb030e9cdf26d4e80
182 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file functions as a link farm, containing numerous links to external websites. One of these links, 'https://ttraff.com/pify?keyword=atomic+emission+spectroscopy+slideshare', is identified as a malicious redirector. The document's structure and the presence of a malicious redirector suggest an attempt to lure users to malicious sites, likely for further exploitation or phishing. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9989

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=atomic+emission+spectroscopy+slideshare In PDF document text
    • https://site-1043600.mozfiles.com/files/1043600/15326932535.pdfIn PDF document text
    • https://site-1042348.mozfiles.com/files/1042348/pepitedale.pdfIn PDF document text
    • https://site-1039156.mozfiles.com/files/1039156/ribunaber.pdfIn PDF document text
    • http://moxosuzog.mybtop.com/uploads/1/3/0/7/130775350/8da9a.pdfIn PDF document text
    • http://files.maidtoshineservices.net/uploads/1/3/1/4/131437268/29f33e.pdfIn PDF document text
    • http://rifaxek.sorokaphotography.com/uploads/1/3/1/3/131398164/jidalowig.pdfIn PDF document text
    • http://files.accountinguci.com/uploads/1/3/0/8/130873907/wafizelov-josekijaze.pdfIn PDF document text
    • https://site-1040132.mozfiles.com/files/1040132/gimizibeved.pdfIn PDF document text
    • https://site-1038414.mozfiles.com/files/1038414/55737079382.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/88e3cf75-bf64-4e45-83bb-2245692a5048/25888849712.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/688700f1-e09c-45d6-8eaa-fc4104720841/xozonek.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c95c69f0-ed1c-45fb-ad19-758fd1bed79c/28065988572.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/597eafe7-94ba-4edf-b622-69cbccefd05c/zufosutef.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000086f9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x86F9 5404 bytes
SHA-256: ec0dcf5ba028e8c5095da1efbcf302f8ff26beac61d93b88432dc45da465d546