PDF malware analysis — malicious · 7d0808655780c1b7

MALICIOUS

PDF

76.8 KB Created: 2021-03-18 08:17:21 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-04

MD5: 8b25df4e72a10b615684187be2f58121 SHA-1: 3a4e0dfda80f1ac045b51c17db6abe444f080171 SHA-256: 7d0808655780c1b71a0f353ab65e5b9a304e85a8bda54d8d4f8cbb6bc5f52d3a

134 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF contains embedded links that redirect to known malicious infrastructure, specifically identified as a redirector for SEO-based phishing lures. The ML classifier strongly indicates maliciousness, and the presence of a redirector URL suggests an attempt to download a secondary payload or phish for credentials.

Machine Learning

Nyx PDF Classifier malicious score 0.9991

Heuristics 4

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK

PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://dafemum.ru/123?utm_term=tamil+nadu+express+platform In PDF document text
- https://cdn-cms.f-static.net/uploads/4473375/normal_603af836da996.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4412897/normal_5ff11334d998a.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4447437/normal_5ff0ecc8f1082.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4461746/normal_601a62bb337a4.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4467300/normal_6011ed594e15c.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4462345/normal_601bf032d8f3e.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4379487/normal_60153aaf613d2.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4392857/normal_5fe005f5ef10b.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4375340/normal_601a7f96e007b.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4370072/normal_6040dc76f21bb.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4372737/normal_603abc633ebf8.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4426819/normal_6017d4e4eb873.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4499656/normal_6026d1645b5f0.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4402964/normal_604e487ba9df6.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://s3.amazonaws.com/zaxawetawupo/8856070250.pdfIn PDF document text
- https://s3.amazonaws.com/labitajaxatufib/first_written_warning_template.pdfIn PDF document text
- https://s3.amazonaws.com/luropiw/jibin.pdfIn PDF document text
- https://s3.amazonaws.com/xufujofaleki/19966157163.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/255f7d45-9076-4c9f-9bc5-a86403991b03/fawazavixinumagubi.pdfIn PDF document text
- https://s3.amazonaws.com/viwoxuz/88338162112.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/605480f2-9fb4-4adf-926d-25fde27b4a73/asus_xonar_dgx_review.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b0934e36-ab83-400e-adb8-addbfb21ae34/tabela_de_preos_de_carros_seminovos_da_chevrolet.pdfIn PDF document text
- https://s3.amazonaws.com/kefodek/spanish_alphabet_worksheets_free.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1b325250-c250-4840-a436-19ba8e39e5d6/50650420402.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000ef3d.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEF3D	5204 bytes
SHA-256: `f4f03a0018ccc576663d597b04aa7f107ecd39e6cbabec5256d4086146b57448`
`font_01_sfnt_off000100df.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x100DF	10908 bytes
SHA-256: `33ba35c8034286de64be0c35951871b65003c0f76c24799ccf78e5603c390b08`

Open this report in the interactive analyzer, or submit your own file for analysis.