Malicious PDF — malware analysis report

Static analysis result for SHA-256 f26953f1f575869f…

MALICIOUS

PDF

84.7 KB Created: 2021-02-12 21:45:44 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-05
MD5: 126ecfa3d75bd2901e5b289e967c3e1e SHA-1: 2699728f6cd665c265ee4683a5fb9489b619941a SHA-256: f26953f1f575869fe3b8324b5d5f5df02dc167647b94e23165d8659f964ca352
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, many hosted on disposable domains, suggesting a link farm designed to redirect users to potentially malicious sites. The presence of a 'Monster Hunter World trainer' lure in the document body and metadata, combined with ClamAV detection as 'Pdf.Phishing.Trojan', strongly indicates a phishing or malware distribution attempt. While no scripts were explicitly extracted, the PDF structure and link farm behavior are indicative of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8762

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/wix?keyword=monster+hunter+world+trainer+v+1669 PDF link annotation
    • https://cdn.sqhk.co/nusideja/1KicWpW/larva_heroes_lavengers_mod_apk_2._6._8.pdfIn PDF document text
    • http://fulusixavopowem.iblogger.org/tutorial_of_ms_office_2007.pdfIn PDF document text
    • https://cdn.sqhk.co/vumorumuvogi/uOOhdKV/vipoloxudazavesogixil.pdfIn PDF document text
    • https://cdn.sqhk.co/kusamika/jhcggji/28872341596.pdfIn PDF document text
    • https://cdn.sqhk.co/pemejurove/jbCdgjH/neon_green_hd_wallpapers_for_mobile.pdfIn PDF document text
    • https://bufibetotireguk.weebly.com/uploads/1/3/0/7/130739935/4328015.pdfIn PDF document text
    • https://cdn.sqhk.co/nivuduful/Nhfdgdo/pomunekodozofuxejevuli.pdfIn PDF document text
    • https://cdn.sqhk.co/bexoninodag/eZijcdJ/21665333654.pdfIn PDF document text
    • https://cdn.sqhk.co/gaxomawelej/F3jiijC/jumapepipub.pdfIn PDF document text
    • http://lizanuj.22web.org/affidavit_of_undertaking_legal_forms.pdfIn PDF document text
    • https://cdn.sqhk.co/zujubokave/jbjfwxD/get_more_likes_on_instagram_apk.pdfIn PDF document text
    • https://digafixi.weebly.com/uploads/1/3/0/7/130776371/2144670.pdfIn PDF document text
    • http://bovosidifusu.iblogger.org/pomezifulunazusitarare.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://duxurulokij.epizy.com/wusizujakofanaz.pdfIn PDF document text
    • http://dolasuwukino.epizy.com/kigenupokiwidevekago.pdfIn PDF document text
    • http://gofudawaropuz.epizy.com/prompt_corrective_action_rbi_guidelines.pdfIn PDF document text
    • http://figopovu.epizy.com/31195706842.pdfIn PDF document text
    • http://wejowuwa.rf.gd/contract_of_employment_part_time_template_free.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fd64.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFD64 5588 bytes
SHA-256: 242b8384e9c613d75b34d56bf76b13267ebd0d0743fb17ac9a64b041892c5a19
font_01_sfnt_off000110f2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x110F2 5432 bytes
SHA-256: 15730a9c75e1e5d75924b4f6e4936f6136052093b9c41bd4a7c98de51b97336a
font_02_sfnt_off00012381.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12381 11716 bytes
SHA-256: 252f11d3b0853762ad10628fb3b672e1a5b5e6aebd5d22a6854bf6d7e8bcf0c4

Open this report in the interactive analyzer, or submit your own file for analysis.