Malicious PDF — malware analysis report

Static analysis result for SHA-256 c5d57af903d597a1…

MALICIOUS

PDF

122.9 KB Created: 2022-03-07 14:07:09 Authoring application: Civil And Natural Obligation live (via FPDF 1.82) First seen: 2026-06-27
MD5: 1703b6624744bff633dc39f1fe70e9bf SHA-1: 28b5031e7f8835df5feefe3de5ffd3423eadc925 SHA-256: c5d57af903d597a15821e1b184745b9692f8e5dba18466175bf5b7104beded3b
92 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0025

Heuristics 3

  • Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE
    PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
  • PDF carries SEO doc-farm redirector links (/pdf/<domain>) medium PDF_SEO_DOC_REDIRECTOR_LINK_FARM
    PDF contains clickable redirector links whose path ends in a bare website domain behind a /pdf/ or /doc/ segment (e.g. 'host/Document-Title-Slug/pdf/target-site.tld'), paired across both variants and/or alongside links into WordPress form-plugin upload storage. This is the generated 'free document/template' SEO phishing family: scrambled filler text plus links that route searchers through a redirector into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://yoreparosavage.site/Civil-And-Natural-Obligation/pdf/www.taguspark.com In PDF document text
    • http://yoreparosavage.site/Civil-And-Natural-Obligation/doc/www.taguspark.comIn PDF document text
    • https://www.taguspark.com/wp-content/uploads/formidable/5/education-requirements-for-licenced-real-estate-philippines.pdfIn PDF document text
    • https://www.taguspark.com/wp-content/uploads/formidable/5/european-union-treaties-office.pdfIn PDF document text
    • https://www.taguspark.com/wp-content/uploads/formidable/5/mortgage-calculator-for-business-owners.pdfIn PDF document text
    • https://www.taguspark.com/wp-content/uploads/formidable/5/john-lewis-partnership-constitution.pdfIn PDF document text
    • https://www.taguspark.com/wp-content/uploads/formidable/5/force-and-motion-worksheets-for-first-grade.pdfIn PDF document text
    • https://www.taguspark.com/wp-content/uploads/formidable/5/fair-debt-collection-practices-act-demand-letter-sample.pdfIn PDF document text
    • https://www.taguspark.com/wp-content/uploads/formidable/5/glitter-tattoo-care-instructions.pdfIn PDF document text
    • https://www.taguspark.com/wp-content/uploads/formidable/5/disclosure-of-personal-information-from-sister-consent.pdfIn PDF document text
    • https://www.taguspark.com/wp-content/uploads/formidable/5/tlf-national-tax-lien-trust-phone-number.pdfIn PDF document text
    • http://yoreparosavage.site/civil-and-natural-obligation/doc/www.taguspark.comIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_026_off0001deca.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1DECA 76950 bytes
SHA-256: 43b13684882d332187dbe2691d5e4f64c33a98e381a4dc2316374ba1b923b47c