Malicious PDF — malware analysis report

Static analysis result for SHA-256 d43f31be23b895a2…

MALICIOUS

PDF

73.9 KB Created: 2021-03-10 16:45:24 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-04
MD5: de621afd6d1a2dbcee24da4ce731525c SHA-1: 581d0539b45166a1e0c98688d19f7862f722423f SHA-256: d43f31be23b895a2dc59d49a4055990398f5beec952d9ccbe91ac1680fed73fb
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The ML classifier and heuristics indicate this PDF is malicious, likely serving as a lure to a link farm. The embedded URL `https://lozipotod.ru/wix?keyword=linear+quadratic+systems+worksheet+answer+key` suggests a phishing or malware distribution attempt disguised as educational content. The document's structure and numerous external links point towards a tactic of overwhelming the user with options, potentially to obscure the malicious destination.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/wix?keyword=linear+quadratic+systems+worksheet+answer+key PDF link annotation
    • http://suzenax.22web.org/can_you_keep_a_secret_book_wiki.pdfIn PDF document text
    • http://lorakuze.sportsontheweb.net/chaos_theory_in_art.pdfIn PDF document text
    • http://kedugobepuged.mywebcommunity.org/jawetakabesavuxowazoguvux.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4424007/normal_60403398a895a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4415327/normal_603791fbf307a.pdfIn PDF document text
    • http://jafoxidulez.mypressonline.com/the_boy_in_the_striped_pyjamas_movie.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://6e37e838-c278-4d46-baa9-25b8497af200.filesusr.com/ugd/fbcb80_31a0a24d33964b7189001fc59f261896.pdf?index=trueIn PDF document text
    • http://xapozemijemomoj.epizy.com/penewulokovetexuka.pdfIn PDF document text
    • https://44407f20-7244-4107-9544-84d8151b6f9a.filesusr.com/ugd/8508de_baffc98a1f334df38a9a831de9484cb2.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/0bbd7d2c-9c48-4730-89c0-d87ba034927f/88495830857.pdfIn PDF document text
    • http://pidodexogejax.myartsonline.com/mathematical_induction_proofs.pdfIn PDF document text
    • https://f8d4b294-f952-4a11-85e8-0a3036f9bdaf.filesusr.com/ugd/ad8f3a_0b9d23d04f0a4093a0f29085503c9515.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/67178c58-e602-4e09-bcf5-883997613ee7/how_to_help_a_child_with_separation_anxiety_at_school.pdfIn PDF document text
    • http://gipebevu.atwebpages.com/kegezilunofofaxarazaw.pdfIn PDF document text
    • http://javewexo.epizy.com/to_play_in_japanese_te_form.pdfIn PDF document text
    • https://eaae50f7-3b1c-4f1b-9b3c-e2a48377569d.filesusr.com/ugd/b96e41_6f130045d15742309711ff58a87a1f4a.pdf?index=trueIn PDF document text
    • https://5fa60de5-32ab-41ac-ba65-77330e21e623.filesusr.com/ugd/2e16aa_7f89553f6a044851be221417ab5838c1.pdf?index=trueIn PDF document text
    • https://5b3500e9-40b4-440a-9ada-171ed8bcf4c9.filesusr.com/ugd/7820d0_ac099c17020349d0a0dd3cbbcda8fdec.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/97875356-e36c-4661-9805-1a1ac64362c4/p90x_plus_workout_schedule.pdfIn PDF document text
    • http://wawutanow.epizy.com/37281832079.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e331.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE331 5472 bytes
SHA-256: a1b5fe74819d572c111eceddd187a8c6f895d4e570c7d362d08ea005e6f4079f
font_01_sfnt_off0000f5ba.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF5BA 10636 bytes
SHA-256: 5230cda49f282b79cc3438703d823ff2f8b6f0bd1886bcf3ec2f89837943658a