PDF malware analysis — malicious · 8c95f83e4909bfb6

MALICIOUS

PDF

74.3 KB Created: 2021-05-31 14:50:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-04

MD5: 9242f53372fc79257e5f9c599648131b SHA-1: 213c2223191092f482074f659fcd2aa61b00fb41 SHA-256: 8c95f83e4909bfb6cebdde08c53d769831a09c65844a6129e715c37b6b5dba78

76 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a heuristic indicating it is a lure for free downloads, specifically linking to a URL that appears to be an SEO redirector. The ML classifier strongly flagged this PDF as malicious. While no scripts were extracted, the presence of a malicious URL suggests an attempt to deliver a second-stage payload or phish for information.

Machine Learning

Nyx PDF Classifier malicious score 0.9993

Heuristics 4

Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK

PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://pixomot.ru/pbw?utm_term=program+codes+for+rca+universal+remote+control PDF link annotation
- https://static.s123-cdn-static.com/uploads/4374024/normal_5fec48ae4e327.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4418788/normal_6009c49221959.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4388825/normal_5fee66fd1e0a2.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4467285/normal_601acbadd6339.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4475874/normal_60660432b1888.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4451575/normal_603502f152212.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4456686/normal_5ffeb7ac4693d.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4383929/normal_5fe7f5d3cfb0a.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4449616/normal_5fe23454ad9e7.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4466379/normal_60548c16d0cce.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/710665e6-4479-418d-b796-a428cf327972/92103342357.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b06ddc16-2a89-4d76-8445-a7baa32e1a2e/how_to_connect_hp_3052a_to_wifi.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/d333914a-77b4-4ca5-9a7b-ef555d45d618/6772210636.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/754f0ada-7e86-4205-95ed-7f04c0e8a513/adding_checkmark_in_nitro.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ebe7af1f-4a78-4cc7-8958-3c263ba47a8c/how_much_is_the_ipod_nano_7th_generation.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b36a05fe-045a-4ee8-8460-ceeb8875d427/rixizuwivaxopelexirutuwem.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/15435f86-3fd9-45af-acbd-54029ce41897/43010603592.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0b2d94bd-4823-4d40-873c-ee8b7a63565d/what_is_the_strongest_intermolecular_force_present_in_h2o.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2861ec64-26b6-4a90-890d-4a3c4bcfc4d9/ruger_sp101_owners_manual.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f907ead8-0e84-46b9-85cb-e671b7083d3f/49969901413.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/00dc93d0-f326-4793-93bc-e3d98ecc43c9/ardaas_karaan_full_movie_watch_online_download.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2a0215f6-6232-4e1e-84dc-b1abe16e389d/what_are_the_skills_required_for_etl_testing.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7d9366f8-28c7-4117-b2af-4c9d70ca59b1/siguxuten.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e7a1.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE7A1	5404 bytes
SHA-256: `34d2182dfe7bef7a1073de04e00f47b2cb3bdcc19215bc71d245fb31046ef05a`
`font_01_sfnt_off0000f9f0.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF9F0	9836 bytes
SHA-256: `53dfcdb46a10db28fe276f32c7edad912f954ac166726a554a296c44e98da5f6`

Open this report in the interactive analyzer, or submit your own file for analysis.