Malicious PDF — malware analysis report

Static analysis result for SHA-256 c5dd0c45680e370e…

MALICIOUS

PDF

46.1 KB Created: 2020-10-19 04:24:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-28
MD5: 5615eb4892bb1c627ab64ca424c30e02 SHA-1: 61775697424f16c1c9e9d53ebfda1a7066106616 SHA-256: c5dd0c45680e370e142479f07c25219bb705596c2503230ae9a626a6060050b4
234 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Security software disable instruction high SE_SECURITY_BYPASS
    Document instructs the user to disable antivirus or security software — unusual for ordinary documents and high-risk in an unsolicited file
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/wb?keyword=z3x%20samsung%20tool%20without%20box In PDF document text
    • https://bewapuvin.weebly.com/uploads/1/3/1/4/131453684/renezojajesume.pdfIn PDF document text
    • https://korodaziso.weebly.com/uploads/1/3/0/7/130740443/e2e3e927511a79.pdfIn PDF document text
    • https://tugajepefur.weebly.com/uploads/1/3/1/4/131453805/5458653.pdfIn PDF document text
    • https://zilavexeredora.weebly.com/uploads/1/3/0/8/130874610/d3f5d62682.pdfIn PDF document text
    • https://derodaju.weebly.com/uploads/1/3/1/6/131606282/miwegobajinegi.pdfIn PDF document text
    • https://xedaliwim.weebly.com/uploads/1/3/1/4/131454603/temopuvaguvujuzes.pdfIn PDF document text
    • https://kiseridebajesa.weebly.com/uploads/1/3/1/4/131408791/xaxexeladosixigip.pdfIn PDF document text
    • https://finiluxexolije.weebly.com/uploads/1/3/1/8/131856594/064fc2c83b3f28.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://cdn.shopify.com/s/files/1/0484/3028/4957/files/home_alone_4_google_drive_mp4.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0266/9166/6114/files/kerala_co_operative_society_act_1969.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0501/2773/2896/files/46806414461.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0456/4418/5767/files/27753171702.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0500/1392/9630/files/drugs_to_avoid_in_g6pd.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0483/4485/8787/files/bogonifobiwod.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0435/5050/7167/files/sony_bookshelf_speakers_bluetooth.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f7a092cd-e4c4-43c5-93d9-54f5d5f55f94/23377995224.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/41053970-d0c2-45a7-b0f9-06a4a315ddcd/ligogozolo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d84e46ce-57ba-4397-8a22-72b918918b1c/gifuvozaj.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c8989f1b-a5fa-43cc-9109-eab93413ee59/babizumufelajatelol.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/01fb2fd8-a610-4eb1-8f26-795666c81497/3537801826.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bfff8fc2-a2eb-478b-b1fc-df4d2efefa42/xewijajopodanosajutiko.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000739f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x739F 5424 bytes
SHA-256: 5fc744698e56923c0aefb812f3f30b703ed95695ab8b3a1f45f489d0050ba932
font_01_sfnt_off00008604.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8604 10900 bytes
SHA-256: ce3dd528a728f38d86fb2fc4bc248a3964bfafcc96eb73fa99c59f15c19a933d