PDF malware analysis — malicious · f123ccc8997a9ca5

MALICIOUS

PDF

42.6 KB Created: 2020-09-06 02:57:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-05-09

MD5: f02184c4e66d2f5cd69b0576bdb92778 SHA-1: 64a39853dc47ced8ffa117e6447ffd5d2b2fbff0 SHA-256: f123ccc8997a9ca52c386115d31551c320ff9d8e35b28a5d092fde0e80b02fc5

194 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous embedded URLs, with a critical heuristic identifying a malicious redirector at 'https://ttraff.ru/wix?keyword=adobe+character+animator+2018'. This suggests a phishing or social engineering attack aiming to redirect users to malicious infrastructure. The document body, though heavily obfuscated, also contains this URL, reinforcing the lure. The presence of a large number of external PDF links, many hosted on Shopify, further indicates a link farm strategy to obscure the malicious destination.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 5

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK

PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.ru/wix?keyword=adobe+character+animator+2018 In PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://cdn.shopify.com/s/files/1/0437/8053/8526/files/31312759179.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0434/8251/3574/files/brigham_city_movie.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0434/9244/2264/files/83154394188.pdfIn PDF document text
- https://static.usrfiles.com/ugd/c1c462_e8bf515a20c24a8580247ca05daa2946.pdfIn PDF document text
- https://static.usrfiles.com/ugd/622218_5f99afcc7b8e435f9329cdc481f1ae28.pdfIn PDF document text
- https://static.usrfiles.com/ugd/ac0094_1a287fe6935b47128f8c0d4ca9e8ce6c.pdfIn PDF document text
- https://static.usrfiles.com/ugd/b8c837_f2a7f909c2aa42d596bc83264ff99d4c.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0430/8323/5489/files/21213582092.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0428/3056/1436/files/7674931989.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0430/3110/1603/files/vajenukuwuvebom.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0428/3862/2375/files/67078642727.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0428/7689/5398/files/6519535549.pdfIn PDF document text
- https://static.usrfiles.com/ugd/9e41f0_9b5f8fdcd6b54ca3b81bda8e591f25f0.pdfIn PDF document text
- https://static.usrfiles.com/ugd/b8c837_912569e4c4bb43e8b098a71aeca5d8d9.pdfIn PDF document text
- https://static.usrfiles.com/ugd/3ce946_cfb44af961f04a2ea9219ee2730806ac.pdfIn PDF document text
- https://static.usrfiles.com/ugd/fb41f9_2c60845c7c72475ba9336a1ab2ffe1b3.pdfIn PDF document text
- https://static.usrfiles.com/ugd/b8c837_7eb4d1878acb441dab0ac39d9ed0ebe2.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000663a.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x663A	5616 bytes
SHA-256: `cb7f7e67df8dba44cd2b9b5501818de92c38ac7f82412d2999786a6a866550f5`
`font_01_sfnt_off00007928.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7928	10612 bytes
SHA-256: `108d54b40d8eeff4cd07b18cfde7a439a6eecd5ced76117f6d2425e3e1fc0a62`

Open this report in the interactive analyzer, or submit your own file for analysis.