MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file was flagged by multiple heuristics, including a critical finding for a mass external PDF link farm and a ClamAV detection for Pdf.Phishing.Trojan. The presence of numerous external links, including one pointing to vilenefex.ru, suggests a phishing or SEO manipulation attempt. Although no scripts were explicitly extracted, the PDF structure and link farm heuristic indicate malicious intent to redirect users to potentially harmful content.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://vilenefex.ru/123?utm_term=les+miserables+1985+cast+recording
- https://cdn-cms.f-static.net/uploads/4403565/normal_5fe8aefe02d18.pdf
- https://cdn-cms.f-static.net/uploads/4474985/normal_60347f543097c.pdf
- http://bimoriz.getenjoyment.net/new_english_file_advanced_word_list.pdf
- https://wirupexulabajes.weebly.com/uploads/1/3/5/3/135322132/9972221.pdf
- http://vivekawiga.sportsontheweb.net/how_to_fix_a_small_engine_oil_leak.pdf
- https://cdn.sqhk.co/wadupaxi/hojbQPA/live_nation_tickets_ticketmaster.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://vorisenunajix.myartsonline.com/13145168527.pdf
- http://koxoxitukemanaj.epizy.com/55834748686.pdf
- http://nejesezape.myartsonline.com/caps_for_sale_printables_kindergarten.pdf
- https://s3.amazonaws.com/dutuzanob/nenoribavusote.pdf
- http://segoxegigo.epizy.com/buwefazonuwugiz.pdf
- https://s3.amazonaws.com/vinivuxo/ultimate_vocal_training_system.pdf
- https://s3.amazonaws.com/gupawupigawono/descargar_happy_wheels_android_2018.pdf
- https://s3.amazonaws.com/mejados/citrix_netscaler_load_balancer_datasheet.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e7a5.bin5488ce93b2da4a911314cbd3461e7ee139c5a12241ec3498123a1956e980fdd2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE7A5 | 3044 bytes |
font_01_sfnt_off0000f287.binc42a6593a3c173a5a91121728a21aeb2a26dd519d10c79eefd1faf764cb58187 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF287 | 5864 bytes |
font_02_sfnt_off0001065f.binb6c7b9eb7fadec9a7d49ac5e932287081247e52a847813711660c5cf15011cde |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1065F | 10548 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.