MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file contains a large number of external links, many hosted on disposable domains, suggesting a link farm designed to distribute malware or phish users. The primary URL, 'https://jacksth.ru/strik?utm_term=surat+al+mulk+latin+dan+terjemahan+pdf', appears to be a lure for religious text, which redirects to a potentially malicious site. The ML classifier and ClamAV detection strongly indicate malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 0.9991
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://jacksth.ru/strik?utm_term=surat+al+mulk+latin+dan+terjemahan+pdf PDF link annotation
- https://sefusozikoju.weebly.com/uploads/1/3/4/3/134366316/sowofakub-pofigi-vifosanoribetex.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4369908/normal_600d986198b6a.pdfIn PDF document text
- https://dojinutek.weebly.com/uploads/1/3/4/1/134108596/3ab7f.pdfIn PDF document text
- https://vozoduxi.weebly.com/uploads/1/3/2/8/132815828/bunogikuwesire.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4492871/normal_5ff891bd2c73d.pdfIn PDF document text
- https://vefavufarexuba.weebly.com/uploads/1/3/4/3/134315694/8452565.pdfIn PDF document text
- https://xitirume.weebly.com/uploads/1/3/4/3/134392652/pusawafabava.pdfIn PDF document text
- https://narusipanunajix.weebly.com/uploads/1/3/1/0/131069819/8648011.pdfIn PDF document text
- https://zeniladafisu.weebly.com/uploads/1/3/5/3/135320186/litides-juvatuliwat-feloz.pdfIn PDF document text
- https://bomitepoz.weebly.com/uploads/1/3/4/8/134895739/xabatasasubu.pdfIn PDF document text
- https://wonikisemuk.weebly.com/uploads/1/3/4/9/134902350/2d8d898025e1.pdfIn PDF document text
- https://bugasidajuw.weebly.com/uploads/1/3/1/8/131856032/01365a83dcfa.pdfIn PDF document text
- https://lorotorerusut.weebly.com/uploads/1/3/1/4/131452969/7bd5b286f84.pdfIn PDF document text
- https://pipamoximiketo.weebly.com/uploads/1/3/0/9/130969724/807055.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4413851/normal_5feced6787b98.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4443799/normal_603def63650e9.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/bd593173-4725-4103-bb1f-1ee96ce83d25/26423387494.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/2a551efa-607b-46e1-9b8d-8faea6e593b3/wozofexiva.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f6d290ed-45b6-4cfe-b174-b96c69033578/14745664163.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1185ad2b-946e-4f8f-b572-d478e54b262c/lonifu.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/f16b360b-9f7a-46b2-a8ed-78f309a34fd3/voxubibapofoza.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/13f64530-354b-43ea-af7c-87103024da8a/bumazazonagopajufasi.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c9c64711-384f-4289-8d7e-a4f473505c2e/what_is_the_silence_of_god.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c4883dce-bb11-4dc9-ad71-7c1d5b4e8096/how_to_disconnect_a_brinks_alarm_system.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e961.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE961 | 5348 bytes |
SHA-256: 81ab464b9c5795a40c5cfbb02cb1aa2d686dcf6148367177dbdfb1c1f4215684 |
|||
font_01_sfnt_off0000fb6b.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFB6B | 10472 bytes |
SHA-256: 8eb1590168f563296155b3fe9f490d237a71d660b8e2d5ac00c110daa4c7ebdd |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.