MALICIOUS
164
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains numerous external links, with one identified as a potential phishing lure related to 'shatta wale mp3 download'. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of external links, suggesting an attempt to manipulate search results or distribute content. ClamAV detection and ML classification confirm the malicious nature of the file, likely serving as a phishing document or a downloader for further malicious content.
Machine Learning
- Nyx PDF Classifier malicious score 0.9992
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://jacksth.ru/strik?utm_term=shatta+wale+mp3+download+ghanamotion PDF link annotation
- https://cdn-cms.f-static.net/uploads/4490123/normal_606e2a47b4771.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4376601/normal_605e034ab1516.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4411273/normal_5fed997980bf0.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4387229/normal_6048a74581171.pdfIn PDF document text
- https://rojukekodeb.weebly.com/uploads/1/3/4/6/134682316/31a61daf6d4a6a.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4454990/normal_60031cc7165b1.pdfIn PDF document text
- https://kenafidoragakox.weebly.com/uploads/1/3/1/8/131856022/f792a4c46be.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/37d8389b-9180-4682-a8d8-ea3829295aa4/mackie_sr24-4_mixer_manual.pdfIn PDF document text
- https://s3.amazonaws.com/dazuxujepov/25236933722.pdfIn PDF document text
- https://s3.amazonaws.com/tiniruru/avg_antivirus_2019_apk.pdfIn PDF document text
- https://s3.amazonaws.com/zifozujiwi/11658254065.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7c32d9d1-c327-46eb-9096-fecdcf21d937/hp_designjet_500_service.pdfIn PDF document text
- https://s3.amazonaws.com/nelizenejakarug/endorsement_letter_sample.pdfIn PDF document text
- https://s3.amazonaws.com/wudibirewuduto/how_long_does_it_take_to_make_a_waffle_in_a_waffle_maker.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5a06839e-e185-4c42-8846-6e660e90aed7/writing_chemistry_lab_reports.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b9abbf54-7f6f-44fd-8dad-7d93189057a4/23273058373.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b4d3d0ab-d014-441d-9e34-6cc31b46e863/nail_salon_open_at_8am_chicago.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/df896808-4c08-4108-82e8-85b10fd26ae4/98233212103.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/99cb0864-f92b-4112-9d4c-982ecb0c18aa/89166614944.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/80d98bc4-f260-471f-bc12-48ac98709326/how_to_tie_a_martial_arts_belt_step_by_step.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6a7c0e9f-1183-4c32-9035-6a76b60b2acf/missing_411_film_stream.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/09c2277d-ada0-4b2e-b0a3-87b5e40b15e8/3311835400.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000157f4.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x157F4 | 5456 bytes |
SHA-256: 57a6f4cdc5043a70b94cfeb8f81425352cdb478e18f19086f00a3eec71ae7d1b |
|||
font_01_sfnt_off00016a6e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x16A6E | 2664 bytes |
SHA-256: 2d983743ea24f3185c1bce9b80d3585af41116a00c56c5b74fcbb1dd12f3b479 |
|||
font_02_sfnt_off000175e7.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x175E7 | 12732 bytes |
SHA-256: 003dabed67abc74abe0700aaa52e60a008438b136d15298c493940e037b74f59 |
|||
font_03_sfnt_off0001a044.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1A044 | 16060 bytes |
SHA-256: bb4620ae2308066493f479cb0495314a41e91f5b0bfb2a754d9bad2ef34af03d |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.