Malicious PDF — malware analysis report

Static analysis result for SHA-256 f4802cfb9d5a40bb…

MALICIOUS

PDF

54.6 KB Created: 2020-11-25 08:33:44 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-05
MD5: 15f53be1b9a4c0aba648fbc7bfdd8236 SHA-1: 340393a195770452c00d68393c15770f0993668a SHA-256: f4802cfb9d5a40bb7c608e00d662bb3474b1c99b18fbb6844808117e471ff754
192 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by multiple heuristics and a machine learning classifier, specifically flagging it as a PDF redirector link. The primary IOC is the malicious URL which is likely used to lead the user to a phishing site or to download a secondary payload. The ClamAV detection name further supports its classification as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8985

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/aws?utm_term=the+boogeyman+song In PDF document text
    • https://cdn-cms.f-static.net/uploads/4386605/normal_5f9626219f648.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4374686/normal_5f8b15e2ded59.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4411717/normal_5faf09f502381.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369161/normal_5f8c0dc449362.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4420748/normal_5fa210d036fea.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366047/normal_5f87e08f6576a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4486975/normal_5fbac9672824c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4409409/normal_5f96452ad0fd9.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/add4e931-0b22-4af3-bfca-894f32bde179/modern_physical_organic_chemistry.pdfIn PDF document text
    • https://s3.amazonaws.com/rejiner/gezopimas.pdfIn PDF document text
    • https://s3.amazonaws.com/zerepuzuze/island_of_hope_island_of_tears_worksheet.pdfIn PDF document text
    • https://s3.amazonaws.com/paropabaru/toxuxagukifepezabeb.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/086efe4e-bdab-4054-914c-2356c81a5ed0/favofegisigopubabitu.pdfIn PDF document text
    • https://s3.amazonaws.com/bejexe/14418041590.pdfIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.