PDF malware analysis — malicious · 39f7cb79bc2e7252

MALICIOUS

PDF

76.6 KB Created: 2021-06-04 21:33:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-04

MD5: 3355ea92dfb72b3ab54f07753ffb3b0f SHA-1: 29ad4460f75bd48753bd6b2af20e075607a8defb SHA-256: 39f7cb79bc2e72528c53a6f476b9760972d3f80c797b684916f9e343e97cd80a

76 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF document contains a heuristic firing for a redirector link, identified as a 'free-download phishing' lure. The embedded URL, https://synerhu.ru/pbw?utm_term=how+to+reset+my+letscom+fitness+tracker, is the primary indicator of malicious intent, likely leading to a phishing or malware distribution site. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

Nyx PDF Classifier malicious score 0.9996

Heuristics 4

Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK

PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://synerhu.ru/pbw?utm_term=how+to+reset+my+letscom+fitness+tracker PDF link annotation
- https://cdn-cms.f-static.net/uploads/4471985/normal_60648cfd51e64.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4493597/normal_5ffaa115b834d.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4476148/normal_6016f3e5aada5.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4454299/normal_60582eb313cad.pdfIn PDF document text
- https://static.s123-cdn-static-d.com/uploads/4475999/normal_60b4e210e988f.pdfIn PDF document text
- https://static.s123-cdn-static-d.com/uploads/4417997/normal_60b54296aef17.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/9b18c582-073a-4c51-a78f-55b0c08de94f/63045022956.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f70d5fea-c8a3-4662-be03-90d0456c17ef/ruratifu.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/da0089f0-32ac-47ba-bd21-8e02227d6146/conditional_formation_constant_definition.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fd2ede2a-6e4d-4759-a951-26a1434f87b5/kesazepurawekajimu.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/45d89396-36d4-43ea-8fac-56e1047a3f54/t_fal_pressure_cooker_walmart_canada.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3e06a66c-df87-4010-87ee-65a2b7d82a61/lakshmi_ashtakam_in_telugu_free_download.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ff978e69-6539-4d07-929a-85cf1c6f0faf/true_refrigeration_t-49f-hc.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6790306c-f03a-4d33-a5a2-f6918487ebd4/7936273278.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/64524781-d2a5-4bac-8bfc-7674e1328705/42579982350.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3d8bedc4-f37a-43a8-859c-9359c8f08f82/jisetuzogapiwuwem.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f4b8844d-45ef-44de-90f9-50b0ca5a570e/i_robot_movie_2004_download.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6bd5b759-f218-4f3f-996a-c79417b980f9/7424601194.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f9c853dc-3479-41b0-8fe4-8caec031fb0e/91408029808.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4dd8ed60-adaa-4113-9e1d-a203f074c7a8/the_lucifer_principle_howard_bloom.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f58e6826-ccbd-482c-a06f-e94d600ebf8e/can_you_still_renew_your_drivers_license_after_it_expires.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/168bae03-ad61-4116-aeb2-74ae83e405fc/koduropofakiwe.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000ede0.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEDE0	5248 bytes
SHA-256: `ebcccc7f8241daa615f4915575e4df211c52dd4f6a90c3a2edd2c96653aa2eee`
`font_01_sfnt_off0000ffb7.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFFB7	10864 bytes
SHA-256: `6770e0beb4aef80a1b7353d36d756b0bf0cc8cd42a96f506ed537325448e0ba6`

Open this report in the interactive analyzer, or submit your own file for analysis.