Malicious PDF — malware analysis report

Static analysis result for SHA-256 d3ecf9472ec4476d…

MALICIOUS

PDF

70.4 KB Created: 2020-12-15 12:27:15 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-20
MD5: 2e89fc35e06fb0db8d55715ff94b2de8 SHA-1: 1ae98e0d0e5646c8003590203a5eddc37b4bf71c SHA-256: d3ecf9472ec4476d9585bd131596515416565a956ed864c0b85da3769535597e
126 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafficel.ru/wb?keyword=crispy%20seaweed%20sheets PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4370288/normal_5f904d61101b9.pdfIn PDF document text
    • https://zejabiforisog.weebly.com/uploads/1/3/4/2/134266870/565511.pdfIn PDF document text
    • https://pesadoxemanuz.weebly.com/uploads/1/3/4/8/134852899/dinumijegagudidijim.pdfIn PDF document text
    • https://wonikisemuk.weebly.com/uploads/1/3/4/9/134902350/vatesapuwe.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4424981/normal_5fa3c1e337291.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4383334/normal_5f9d4eadc990b.pdfIn PDF document text
    • https://jafebuwezow.weebly.com/uploads/1/3/4/7/134749502/xekagesidotekukusum.pdfIn PDF document text
    • https://vovikadu.weebly.com/uploads/1/3/4/5/134587732/jenad_nagowotarupes_medonenakoju_lunavogesibu.pdfIn PDF document text
    • https://napuguzexavuzes.weebly.com/uploads/1/3/4/8/134875267/6dcba.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4391308/normal_5fa4c2e8e444a.pdfIn PDF document text
    • https://junoxavod.weebly.com/uploads/1/3/1/3/131384771/parak-xagolabik-gijixobugipip.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://static1.squarespace.com/static/5fc5a5de085bf90c0e1d7acc/t/5fcef76c798354522d0481a5/1607399278358/formula_1_2020_constructors_standings.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bd627d92-0917-4855-93f3-145d2537c263/88103030634.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8a662ad3-7be6-401a-8a21-104203e09cb8/xikumozokirufufamibemibi.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc2a3195e8e827d4299026a/t/5fced41469d6d06d552f2334/1607390230379/17899206483.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fbfe7e212facd59cea75dab/t/5fc5c4bc08845d092452d6b5/1606796481829/the_laugh_of_the_medusa.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bf60.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xBF60 3132 bytes
SHA-256: 27898434ed7cef6246b7b466f84a11d38a06f472f8daf5897290b59145ef764f
font_01_sfnt_off0000ca9b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCA9B 4804 bytes
SHA-256: f1e13dbc42e86cd0f840256e9745a30be3de0aa9006a7d112b6262720f66e4d7
font_02_sfnt_off0000db19.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDB19 10340 bytes
SHA-256: be878dd9f2a89d5d429e12ae178956834d29878e8db84bb31f4792bedb9bc7df
font_03_sfnt_off0000fe50.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFE50 4324 bytes
SHA-256: d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378