MALICIOUS
186
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
This PDF file was identified as malicious by multiple heuristics and a machine learning classifier. It contains a large number of external links, many pointing to disposable domains, suggesting a link farm or SEO manipulation scheme. The presence of a link to 'vilenefex.ru' further supports the malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://vilenefex.ru/wix?keyword=shop+vac+all+around+ez+1.5+gallon+manual PDF link annotation
- https://zejuraxarobepek.weebly.com/uploads/1/3/1/4/131407797/nikuv.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4451753/normal_6008ab072b606.pdfIn PDF document text
- https://ditixalopu.weebly.com/uploads/1/3/1/4/131410538/d271b90d92c5e13.pdfIn PDF document text
- https://dagakaxogofawi.weebly.com/uploads/1/3/4/6/134699425/1934271.pdfIn PDF document text
- https://vagoledos.weebly.com/uploads/1/3/5/3/135320004/d17b626d3a2a093.pdfIn PDF document text
- https://gafapelisepofas.weebly.com/uploads/1/3/4/7/134762307/fifututiga-jesiwebubeka-ripokubufevi.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4382423/normal_5fdc21792275b.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4380229/normal_601b3a42882ca.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://e18e6c05-101e-4f41-9c4d-f518aea09dbb.filesusr.com/ugd/7972b3_1a496411e9cd44a981bd265a06a39238.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/c203891d-fb83-496a-8785-81cf3bf34f22/sadelujopi.pdfIn PDF document text
- https://50fe66f1-00be-429c-ab6c-57a9f80d6ab9.filesusr.com/ugd/39cb9d_d178832bc7da4325a95cd8f3776ad882.pdf?index=trueIn PDF document text
- https://6d4cd3b7-91e9-43ac-92b9-205473f1e50d.filesusr.com/ugd/28146e_30089730721c4fb6b70dfe9526933851.pdf?index=trueIn PDF document text
- https://18cb0a1d-3822-48a5-9ca0-56465202bc9b.filesusr.com/ugd/96564c_6b5ef1c529074557ae83a8009ce2b998.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/ae8bc648-6a16-44f0-a005-e7adc194fd0a/94876223068.pdfIn PDF document text
- https://ff9dba89-6132-4485-99c2-ace8a2453124.filesusr.com/ugd/c3f59f_a48f246d4215498c870706ea4c2155ab.pdf?index=trueIn PDF document text
- https://1094d5c0-a920-47c7-a1de-7e2d56a92d84.filesusr.com/ugd/47b1e8_1d6586d73a3b4555b18722256604d774.pdf?index=trueIn PDF document text
- https://c05d8b73-d39f-4c49-b1ba-f5f4f4c97c14.filesusr.com/ugd/d55797_1411d4cf02624838b7dfe7dedd102347.pdf?index=trueIn PDF document text
- https://0f0532cb-4478-41f9-91a1-cf277c4732ec.filesusr.com/ugd/8acad3_e3b39dedce574bf7a0ed628eafac64ad.pdf?index=trueIn PDF document text
- https://45e41439-46a4-4c97-84f0-155cfeda4cef.filesusr.com/ugd/9d7ad9_d7d87eac9c4e47d5aa85a44dc24e0fd0.pdf?index=trueIn PDF document text
- https://1c92f6d8-19eb-429c-9239-1cf6be91372f.filesusr.com/ugd/cc1a03_6890f7cdbaff47a8b8a578d429d86f14.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/5776d47e-ae3d-46bf-bba0-418750802b97/themes_in_the_tempest_act_1_scene_1.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e292.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE292 | 5732 bytes |
SHA-256: 6ad8491f19fb9fe38d2af601d9f7dff7e1dd8cd5ca87b14192b78402b1e8e610 |
|||
font_01_sfnt_off0000f600.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF600 | 15204 bytes |
SHA-256: b7d0dc13bcee01c57d0ef53842af558813a5e7c87df383f0e33d54519426b804 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.