MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
T1059.007 JavaScript
This PDF document exhibits characteristics of a phishing or malware distribution lure, as indicated by the 'SE_BROWSER_INSTALL_LURE' heuristic and the presence of numerous external links, one of which is associated with a suspicious domain ('vilenefex.ru'). The ML classifier and ClamAV detection further support its malicious nature. The document likely attempts to trick the user into downloading and executing a malicious payload disguised as a browser update or extension.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Browser extension / update installation lure high SE_BROWSER_INSTALL_LUREDocument tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://vilenefex.ru/wix?keyword=free+agario+bots+mac PDF link annotation
- https://cdn.sqhk.co/tajixixejafi/hggmXIC/us_average_gas_price_history_chart.pdfIn PDF document text
- https://cdn.sqhk.co/laruxibut/khc0tyk/jewifivimaferoropabulilo.pdfIn PDF document text
- https://sixusiwof.weebly.com/uploads/1/3/1/4/131454093/wigalonewofi.pdfIn PDF document text
- https://tosafesixagosug.weebly.com/uploads/1/3/1/3/131383933/3d191f6.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/8bdeeff8-cd39-44e6-8f78-19becbd6d4a7/harry_potter_book_4_illustrated_by_jim_kay.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/df234d89-c48c-42d0-bb52-16083552cb0b/first_things_first_book_summary.pdfIn PDF document text
- https://s3.amazonaws.com/baxunaf/77338919012.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/efd5f3d6-6a36-4992-89bc-5307341528d9/bloom_and_lahey_model_ppt.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ca5db861-94cc-40e9-951a-2703d92a7ad0/girefiza.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/eab0c82f-dedd-4a71-9f91-13ab69e5727a/kaxafilinuxobezibitek.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8cf8f843-49f7-4535-a103-7ab58f018d3b/tajojuweweravibela.pdfIn PDF document text
- https://s3.amazonaws.com/legobegutulo/annamalai_movie_songs_starmusiq.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/6ec1fb8a-46bf-442c-bb51-a19af1ef27b3/samsung_remote_bn59-0119f.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/766cebe0-cfc2-45fb-ac02-4676f712df21/the_woman_in_cabin_10_chapter_2_summary.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/c43bc6a0-499c-43cd-9d83-7d41278171ba/12922576997.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/b9040fe0-980b-4da4-a5af-c8398f12ea43/all_souls_book_sparknotes.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/795f3b62-7832-4246-acf4-cf1cc3a57829/21469575150.pdfIn PDF document text
- https://s3.amazonaws.com/xajowu/how_to_learn_korean_language_fast_online.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/80fa0ec6-9069-4989-87d2-8f83bb198959/51591860900.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/99d21275-0817-4c35-9e6d-4c4e08b77f34/samsung_tablet_ce0168_manual.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e6de.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE6DE | 5180 bytes |
SHA-256: 1372cbfe53c3c91ee16ef436eb3fe31492e0610e07c74c0ef9dbdd7faa2f5a1e |
|||
font_01_sfnt_off0000f86f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF86F | 11112 bytes |
SHA-256: 59587b9f5c136dc2969c25236e69efc411ed2b39b2e5ef858d020d0a7b250c9f |
|||
font_02_sfnt_off00011e89.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11E89 | 16076 bytes |
SHA-256: 9d161d6e34f835aff196e226d852edde4d65b072a4902c32411b177d8c29261e |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.