Malicious PDF — malware analysis report

Static analysis result for SHA-256 d8805c51ea3e5852…

MALICIOUS

PDF

41.6 KB Created: 2021-01-10 01:11:45 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-05
MD5: 83ec6ed70f3428db533bdd629902f826 SHA-1: 7cd0c05faf0dae243ccfb10cdbef3951e237f686 SHA-256: d8805c51ea3e5852f956402d3dfed2a98b936a5dea47be6ce3882f2fac4b0843
182 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was flagged by multiple heuristics as malicious, including a critical alert for linking to known malicious redirector infrastructure. The embedded URLs and the document's structure suggest it is part of a link farm designed to redirect users to potentially harmful sites. No scripts were extracted, but the presence of numerous obfuscated links points towards a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9297

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/aws?utm_term=charitable+donations+2018+spreadsheet In PDF document text
    • https://site-1171394.mozfiles.com/files/1171394/bloomsburg_university_of_pennsylvania_athletics_staff_directory.pdfIn PDF document text
    • https://site-1177722.mozfiles.com/files/1177722/mepawuzevirogu.pdfIn PDF document text
    • https://site-1084247.mozfiles.com/files/1084247/super_street_fighter_4_androidgamegratisan.pdfIn PDF document text
    • https://cdn.sqhk.co/vovewotutal/bSj1icu/zedigazikofokikizureg.pdfIn PDF document text
    • https://cdn.sqhk.co/kepebeso/giigiNg/ibis_paint_x_logo.pdfIn PDF document text
    • https://cdn.sqhk.co/gobopovupav/ipwhcaX/god_simulator_roblox_codes_wiki.pdfIn PDF document text
    • https://site-1179856.mozfiles.com/files/1179856/jidigoxuzopexosikalufed.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4475859/normal_5fcc6d31e54c7.pdfIn PDF document text
    • https://site-1178505.mozfiles.com/files/1178505/zonufejimojez.pdfIn PDF document text
    • https://site-1174796.mozfiles.com/files/1174796/cruise_critic_carnival_vista_deck_plan.pdfIn PDF document text
    • https://site-1171722.mozfiles.com/files/1171722/29697270275.pdfIn PDF document text
    • https://cdn.sqhk.co/kekumumaxow/iiPAiwN/earth_wind_and_fire_fantasy.pdfIn PDF document text
    • https://s3.amazonaws.com/divelikubapiwaj/2020_summer_solstice_time.pdfIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.