Malicious PDF — malware analysis report

Static analysis result for SHA-256 d785d5e43b6c7760…

MALICIOUS

PDF

65.4 KB Created: 2021-03-05 00:36:23 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-05
MD5: 921e89b92766e1be01e0ed63c9a7868f SHA-1: 6c9668794cf77e4ac68cc3be8c4c4abdd95176aa SHA-256: d785d5e43b6c77605ee8b0d0330ab1f0b7f13ace8ef788df1cffebc190ee1f91
242 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document contains a large number of embedded links, many of which are hosted on disposable domains or known redirector infrastructure. The primary malicious link identified is 'https://crophysi.ru/award?keyword=how+to+reset+mettler+toledo+scale', which is flagged as a known malicious redirector. The document's structure and link farm behavior suggest it is designed to lead users to phishing or malware-hosting sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5403

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/award?keyword=how+to+reset+mettler+toledo+scale In PDF document text
    • https://static.s123-cdn-static.com/uploads/4477139/normal_600292f52f075.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4411937/normal_6027a76ef204c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4475874/normal_600adb3c86df9.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4383795/normal_6000a0eeeb995.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4387566/normal_5fe0340e82e6c.pdfIn PDF document text
    • http://xitaboketeloba.iblogger.org/87051163702.pdfIn PDF document text
    • http://kavosizob.iblogger.org/what_is_a_roof_deck_in_construction.pdfIn PDF document text
    • https://348ddb29-83e1-4812-94a1-743b72ef9b42.filesusr.com/ugd/23b571_721f4a0c8da04b7cb92b0d92bf3fffb6.pdf?index=trueIn PDF document text
    • https://61069a5e-3c5f-4884-a3c7-8c7552058b74.filesusr.com/ugd/0789d5_853100c71b9f4416a0c3534b6d7873ac.pdf?index=trueIn PDF document text
    • https://6f81cef9-66a2-447d-9e1d-4c0427ef15c5.filesusr.com/ugd/4d935e_bdd19db19e3642cdaf770b94a975c457.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/524788e5-00e5-4562-a997-f3a58c940008/zenith_transoceanic_7000_repair.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1c8944e5-491a-4d76-bd72-8af0dc1213c9/the_game_plan_2007_full_movie_free_download.pdfIn PDF document text
    • http://digudago.rf.gd/greek_root_words_with_greg.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cf59ac84-dcb4-4e1e-894c-e7040fefd2c7/56420856478.pdfIn PDF document text
    • https://0efdb04f-128a-4c0d-ace4-8b312723ebcc.filesusr.com/ugd/5508f4_87a8d2a2e6d447589e45b369bfd6d13b.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/31c80a74-f6e8-48fe-9cf7-b33e939be3eb/constitucion_de_puerto_rico_definicion.pdfIn PDF document text
    • http://fibubaxuvuvixik.epizy.com/55793077592.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/44f37d33-ea6b-4984-b325-cccb71f5ded4/dewalt_pressure_washer_3600_psi_parts.pdfIn PDF document text
    • https://ef2e072a-e8a2-4438-804d-cc750be2e2f6.filesusr.com/ugd/6a22cb_c43a6096073642718ad54cd559bbc706.pdf?index=trueIn PDF document text
    • https://3568ea06-17fa-4787-91ae-86b9aa918cbd.filesusr.com/ugd/8ade13_2c036adfb2c745a18648c2846cd9a575.pdf?index=trueIn PDF document text
    • https://1e16da7b-5b4f-4122-a3c4-5c88c9d97cf7.filesusr.com/ugd/83f04e_219494ee8a904627aab31a292c33a910.pdf?index=trueIn PDF document text
    • https://e437b920-fa79-41d5-b67c-0ca059f4e77a.filesusr.com/ugd/d97c10_ec7a7d72967b41a7b5290735e4888d68.pdf?index=trueIn PDF document text
    • https://39c1d623-eccb-4af0-a86a-15328a2d61f9.filesusr.com/ugd/3cb6cb_4bd581f3e3fe4d2c848dbdc81707a4bd.pdf?index=trueIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.