MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF file was flagged by multiple heuristics and a machine learning classifier as malicious. It contains an embedded URI pointing to 'https://leonvi.ru/strik?utm_term=quran+only+urdu+translation+audio+mp3', which is likely a phishing or malware distribution lure. The PDF structure also indicates it's part of a link farm on disposable hosting, further suggesting malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 0.9990
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://leonvi.ru/strik?utm_term=quran+only+urdu+translation+audio+mp3 PDF link annotation
- https://cdn-cms.f-static.net/uploads/4405641/normal_606dde759f14d.pdfIn PDF document text
- https://cdn.sqhk.co/tumupowe/UhfHNY4/adobe_photoshop_cs2_brush_free.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4379603/normal_605af1c07c944.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4470961/normal_6068be26939ee.pdfIn PDF document text
- https://cdn.sqhk.co/dekavaka/f8UoOgc/xfinity_stream_on_firestick_error.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4468827/normal_60209807e3ef7.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4380694/normal_601ecb7f38bac.pdfIn PDF document text
- http://bumosid.getenjoyment.net/18984368823.pdfIn PDF document text
- http://xuxikurov.mygamesonline.org/arthritis_back_exercises.pdfIn PDF document text
- https://cdn.sqhk.co/gadukupuwe/mYieVoG/cinema_uae_coming_soon.pdfIn PDF document text
- https://cdn.sqhk.co/wexovezojab/je0nja0/radio_italia_online_gratis.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://fedorahosted.org/lohitIn PDF document text
- https://2daccc73-8708-4113-a26a-4f38906335d9.filesusr.com/ugd/f65175_1533185685294b6c88886a9529f51126.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/f07d2008-d7a4-47fb-8e6e-6b04f83952e3/75850995013.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c92c5ccf-3fcb-4389-b66f-2d7315ef025e/bunn_tea_brewer_troubleshooting.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/da97bc65-d67f-40d8-8e9a-e6bc9e8baa8c/dope_inc_wikipedia.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/51fbbc01-0729-476f-b89f-21dc0a30f8cd/delta_universal_miter_saw_planer_stand_manual.pdfIn PDF document text
- http://sanojepenot.onlinewebshop.net/94341526020.pdfIn PDF document text
- https://e21f0dd0-e693-4a2a-aa38-6cab66162128.filesusr.com/ugd/34eed6_141026f99de84e29b96b4fb0f9675084.pdf?index=trueIn PDF document text
- https://ebba3e40-d49f-4cc8-b137-373bb1124918.filesusr.com/ugd/384ea4_8c64e5ec0b414b5c9b3a92f0b7cef3df.pdf?index=trueIn PDF document text
- https://d451e762-8e00-4155-9971-9512d28d2528.filesusr.com/ugd/b52961_a12e872237654709b4826c58cd4b8223.pdf?index=trueIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_006_off000136d7.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x136D7 | 23308 bytes |
SHA-256: a6298824eef22350bbad42f11c677e8186431d60d2ee3926a3da29f459ff30d3 |
|||
font_00_sfnt_off0000f427.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF427 | 5432 bytes |
SHA-256: 6c1647b0ccf31f35e75db2e8f24023e9cab4f552cceb5e4566b64fc192b2ced8 |
|||
font_01_sfnt_off00010684.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10684 | 2140 bytes |
SHA-256: 3eadf3ff1ae85f7a2dd8be852d633ca148c1d24200a16cbd4325889adc5789c4 |
|||
font_02_sfnt_off0001105e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1105E | 11200 bytes |
SHA-256: f1edd70705184f55c31bef3d34702d39200d4bc6ca6675f9d4789964a81d2763 |
|||
font_04_sfnt_off00015eed.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x15EED | 6232 bytes |
SHA-256: f4d2f293db8b304ebd2ab98b84466a183b5eb69e855c5f15d58e5743bf0fb729 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.