Malicious PDF — malware analysis report

Static analysis result for SHA-256 7ca9d4ec43f34b7f…

MALICIOUS

PDF

79.8 KB Created: 2021-03-23 14:40:07 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-04
MD5: 8221cc2fc8e4088695fde7311e8ae894 SHA-1: b61d807649f7fc1d8ba4eda385c3550b48a55d47 SHA-256: 7ca9d4ec43f34b7fb1b42611f11d62eae14bf13b873cbe35fd0f6e2cc99bc038
76 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a lure related to car seat stroller combos, which is a common tactic for phishing campaigns. It embeds a URL that redirects to a malicious domain, likely to host a secondary payload or phishing page. The ML classifier strongly indicates maliciousness, and the presence of an external URI and redirector link further supports this assessment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/strik?utm_term=should+i+get+a+car+seat+stroller+combo PDF link annotation
    • https://cdn.sqhk.co/dowusutitozi/iGZ92ji/wentworth_by_the_sea_restaurant_new_castle_nh.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4385647/normal_5fdab5be8a294.pdfIn PDF document text
    • https://cdn.sqhk.co/jimumakevaji/gfxgdie/74054960566.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4460680/normal_604111979cc2b.pdfIn PDF document text
    • https://cdn.sqhk.co/tozakexidupe/igcldpC/pumodivekilifubesuv.pdfIn PDF document text
    • https://cdn.sqhk.co/livoluxuwad/gidMjc5/tv_broadcasting_software_for_windows_free.pdfIn PDF document text
    • https://cdn.sqhk.co/gigepiwej/jVeNQ7q/bekugunibapax.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4393635/normal_6033703c5b29e.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4500438/normal_5fc7a91cb26a7.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4376126/normal_604facc53b5c2.pdfIn PDF document text
    • https://cdn.sqhk.co/jigijobofofa/WfGgjjh/dizekuz.pdfIn PDF document text
    • https://cdn.sqhk.co/buzulexoxuve/jhijaig/download_pes_club_manager_apk_data_offline.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/17e3e668-f3f1-49aa-8f7f-54b520b5afce/safeway_club_card_number_reddit.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/29d01c22-03d1-4da0-992b-91ca4d47ccaa/jedozevunumidolasatepew.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a0ad55b8-eef8-456e-94e2-2d0c28f454c0/adobe_premiere_2020_system_requirements.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/31813b0e-a3c0-498f-af2a-b84ec73f5632/how_to_do_business_taxes_with_quickbooks.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/64218183-de44-44ae-a10e-0e15abedfa77/are_acer_laptops_any_good_uk.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7adc6c53-e1bf-4031-ad93-1ab106f6b938/bowflex_xtreme_2_se_workout_videos.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4f744a71-c35f-42ad-8e5b-846fb4961ee3/razer_ornata_chroma_keyboard_layout.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1dd998d6-2b25-424d-bbfe-247592204cff/le_voyageur_contemplant_une_mer_de_nuages_poeme.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fae3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFAE3 5596 bytes
SHA-256: 989d631fe88b556c53decf8c04ae2d30a837e9411494025f11b4eb02d45278ce
font_01_sfnt_off00010db7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10DB7 10656 bytes
SHA-256: 7b1d6e58eb79cd50ebfd3aa9268f0e7ba99879f120304d1c966ab26f38d4d5f3

Open this report in the interactive analyzer, or submit your own file for analysis.