Malicious PDF — malware analysis report

Static analysis result for SHA-256 fd0cf52a1cbb34ea…

MALICIOUS

PDF

50.6 KB Created: 2021-01-10 11:45:54 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-05
MD5: 52177ac21849f4d04d7601b40d5ad252 SHA-1: d8e4e52ff88790442940a60e051ea17c5e9ee464 SHA-256: fd0cf52a1cbb34ea8c739209414dc12a640710d5625cece4da9372f1efd4adcd
182 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file contains numerous embedded links, many of which point to disposable hosting services and redirector infrastructure, indicating a phishing or scam attempt. The heuristic firings confirm the presence of malicious redirector links and a link farm hosted on disposable infrastructure. The ClamAV detection and ML classifier further support its malicious nature, classifying it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9443

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffking.ru/aws?utm_term=creative+curriculum+lesson+plan+template+free In PDF document text
    • https://kinumefiboposif.weebly.com/uploads/1/3/4/8/134865532/392eba.pdfIn PDF document text
    • https://dikubudekoguzo.weebly.com/uploads/1/3/1/8/131857294/4175681.pdfIn PDF document text
    • https://site-1168510.mozfiles.com/files/1168510/94865317894.pdfIn PDF document text
    • https://cdn.sqhk.co/nimawabej/ajcGuMj/teacher_appreciation_week_ideas_for_each_day.pdfIn PDF document text
    • https://bagobizofenagex.weebly.com/uploads/1/3/4/7/134767931/jodawizut.pdfIn PDF document text
    • https://luludosob.weebly.com/uploads/1/3/4/7/134703274/a9b513236a65ec.pdfIn PDF document text
    • https://site-1168192.mozfiles.com/files/1168192/xijotukopapavobadi.pdfIn PDF document text
    • https://site-1241159.mozfiles.com/files/1241159/83951549414.pdfIn PDF document text
    • https://piminuwimizo.weebly.com/uploads/1/3/4/6/134674326/7325291.pdfIn PDF document text
    • https://site-1175290.mozfiles.com/files/1175290/zudirag.pdfIn PDF document text
    • https://cdn.sqhk.co/lenawemijixe/bCMhcgi/easy_mobile_recharge_app_download.pdfIn PDF document text
    • https://site-1166674.mozfiles.com/files/1166674/xowab.pdfIn PDF document text
    • https://cdn.sqhk.co/jakufomego/NOQidia/76943972828.pdfIn PDF document text
    • https://site-1179316.mozfiles.com/files/1179316/anime_dress_up_games_school_manga.pdfIn PDF document text
    • https://s3.amazonaws.com/voxulija/monthly_budget_spreadsheet_examples.pdfIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.