Malicious PDF — malware analysis report

Static analysis result for SHA-256 c5da3f1a02c29101…

MALICIOUS

PDF

67.1 KB Created: 2020-10-11 12:44:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-27
MD5: dd99a70813ec91d943678dd2aa8ac01a SHA-1: 1e0af2d5e2259f67b3709e9106309d67ca037834 SHA-256: c5da3f1a02c291014497b1cad0894c07c71b48acb8dee53c4ec58fdf16566965
194 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/strik?keyword=star+wars+battlefront+2+2005+free+download In PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://cdn.shopify.com/s/files/1/0482/5281/3466/files/40516781838.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0483/3896/0547/files/armorer_ffxiv_guide.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0496/2988/8676/files/96916693399.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/30cd7f9b-9fc1-4a09-9589-978b7bf49a74/82369454790.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0427/9812/1119/files/texas_rangers_lexus_club_box_view.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0479/5740/9948/files/moxuxagovivalelufekigexop.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0435/6649/7960/files/wumufasanuzenuvamuzebiwik.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b42bc1e5-2d82-4d73-ac4e-f55c2dd8c732/votekamukunuzivavuwa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9bf0d52d-19e3-4313-9c5d-bd509fc476bc/68128228241.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/371fad6d-adbc-4656-9b51-9fb395b3f8ed/xozolawefosawiwekirawu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e6cb7c94-a0bf-4157-aa98-c8a15cb1a857/45641803503.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cd4a93ff-8ad3-413e-b148-51a852c3dab3/linamogepezob.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000079c6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x79C6 13968 bytes
SHA-256: ef2be8e24f97e09fa05b0058a16fc4c126f84bc3df2433490631beb625f75f72
font_01_sfnt_off0000a677.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA677 5376 bytes
SHA-256: e338b8406cf94acdc9d4f548653de6a3b7dcb734ad589b8c24978ef9aca48e84
font_02_sfnt_off0000b8cd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xB8CD 10004 bytes
SHA-256: 8c1c17123fa64743ff665521e8f51c0863b6e365602997ec64d2f08befbe5979
font_03_sfnt_off0000db63.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDB63 16088 bytes
SHA-256: 51b8d4c4f17389d80b23040d591c0dccb099bca9103ea84f58116e310badbe13
font_04_sfnt_off0000f01b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF01B 4324 bytes
SHA-256: 1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e

Open this report in the interactive analyzer, or submit your own file for analysis.