Malicious PDF — malware analysis report

Static analysis result for SHA-256 ccf3930eb20d1697…

MALICIOUS

PDF

75.3 KB Created: 2021-03-20 02:53:10 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-04
MD5: bce2dc80ad3dd9189cf2452ba62ff1ad SHA-1: 35bdde7228bda33ce5fc0112bf20bf40433c46de SHA-256: ccf3930eb20d16977e50280e4b2764dd401a699f3d195cb672dd58eb254818bf
124 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link that redirects to a malicious domain, identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though heavily obfuscated, contains text related to downloading a game, suggesting a lure. The ML classifier also strongly indicated maliciousness. No scripts were extracted, but the embedded URL is the primary indicator of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/wix?keyword=download+minecraft+1.8+9+forge In PDF document text
    • https://cdn-cms.f-static.net/uploads/4493550/normal_5fd8906fb7588.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4469359/normal_5fd71de745b98.pdfIn PDF document text
    • http://helpcenter.business/99156337820d3w3f.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4448992/normal_5fefc18a0b4f3.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4457577/normal_6034e9c76d42a.pdfIn PDF document text
    • http://pipvip.ru/3-4_skills_practice_equations_of_lines8hwfk.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4414487/normal_60473ab2f05e5.pdfIn PDF document text
    • http://magnitoli-2ekran.site/364720934415vn8b.pdfIn PDF document text
    • http://fitit.space/737653305480rkd8.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/pukiza/free_crochet_waffle_stitch_afghan_pattern.pdfIn PDF document text
    • https://s3.amazonaws.com/luxaduzimase/67785964523.pdfIn PDF document text
    • https://0ea28b16-58c2-472d-b6be-3e97fe9b7bb6.filesusr.com/ugd/696b8a_05faafbc4d3745cfb06d85693480b326.pdf?index=trueIn PDF document text
    • https://1c437d0a-cccb-4a8a-93f1-39e0b5126915.filesusr.com/ugd/b91566_d8319bd564a84eb497967da550ecde65.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/d4859fc5-a722-49a3-aa78-2ed0dcd43b45/44048511618.pdfIn PDF document text
    • https://411563d6-f1a1-4768-9eaa-86e4eb1f1ae3.filesusr.com/ugd/6d8349_cb8b959a73014f00aacc858a1f44a34a.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/6a766846-ebb9-4d6c-b039-65f842d41d3c/how_to_calibrate_a_fluke_thermometer.pdfIn PDF document text
    • https://855e1e5b-0daf-4dce-aa73-dfad2bfec5df.filesusr.com/ugd/ced2dc_5e7a849df24b402d827d3e5caff3d37f.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/punurum/noletunevom.pdfIn PDF document text
    • https://9e6c4f0b-3406-4274-bf8a-5be7f948d240.filesusr.com/ugd/45c6ff_b2bbe5629afc46c393a3728ee7589fa2.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/be3a16a5-1899-47a6-a9b0-237d08533801/21839476737.pdfIn PDF document text
    • https://72a23b54-95c1-47c0-80d6-f7b1310faeb8.filesusr.com/ugd/65b209_99fcd75c358a49679f00bbe6b1a36e91.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d92e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD92E 5688 bytes
SHA-256: cd76d0474fbfccc2da8b19b9e187ff089293921dadc602cf557eaf648add4f13
font_01_sfnt_off0000ec96.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEC96 15984 bytes
SHA-256: 6c343fde025fcebfe930d934f34f5e0f75dcdd0c28a65cc4bd3c304992023de1

Open this report in the interactive analyzer, or submit your own file for analysis.