MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a large number of external links, many pointing to files hosted on strikinglycdn.com and s3.amazonaws.com, suggesting a link farm or SEO spamming technique. One primary URL, https://vilenefex.ru/strik, is flagged as unknown reputation and is likely the malicious destination. The ML classifier and ClamAV detection strongly indicate malicious intent, likely phishing or malware delivery.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://vilenefex.ru/strik?utm_term=the+odyssey+book+16+analysis PDF link annotation
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.daltonmaag.com/In PDF document text
- https://uploads.strikinglycdn.com/files/12dbceb3-ef39-416e-bf0c-c930dcb43868/fakubugekugidefosuwa.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/68919efb-19ca-43b8-8a3a-c381ba02e404/black_flag_origin.pdfIn PDF document text
- https://s3.amazonaws.com/zibenoroduzuw/designated_survivor_season_2_parents_guide.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5c23a5d0-967f-4a1b-a376-f45399ca3f1a/vafizufasavitawi.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/cbf48959-0a8d-44bb-8418-7aa0c4ebca74/vibumidulitomozema.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3f240604-1233-434e-a147-467f36809748/hp_laptop_6470b_specs.pdfIn PDF document text
- https://s3.amazonaws.com/legapatatezisa/50_cent_big_rich_town_remix.pdfIn PDF document text
- https://cb8582fb-ab29-4f13-bfd4-623ca244ab52.filesusr.com/ugd/d61b30_75153e017db5470983d3c672c460b34e.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/b0919431-f9f6-4d63-bceb-3f60e6325b4e/xavinavididuresowomo.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/8a230f18-0f70-4a93-ad45-02651af1d9f5/langstroth_long_hive_dimensions.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/4b0b6896-e862-4174-9143-e200cdd89304/28925789859.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/7f99beab-1a77-4a2b-9712-32a6d7a3cc69/42106256361.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/67787b77-34ff-4edf-baae-c7a4c79d5eb4/whats_the_meaning_of_the_word_potato.pdfIn PDF document text
- https://7fc1e5b2-1dd8-4457-9de2-3dea1ab9f589.filesusr.com/ugd/fedd61_70e42abdc688425cb0bf0bf4b8059510.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/dc1a7ba4-ae31-4d70-b109-c50c80663a66/how_to_use_the_wave_speed_equation.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/bc9d4897-a57e-4310-ac85-4c62b4034f9c/what_makes_a_great_dad_quotes.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/3b403263-6fd0-477d-b723-2172cfdc5e75/dixozipuwojo.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1af30b10-99d6-44a0-acd9-27f2989742f7/the_set_aside_prayer_origin.pdfIn PDF document text
- https://7031c68c-cf47-488c-b9bd-b344696616f5.filesusr.com/ugd/51e9e9_74db79e1f86e4193baf50aa85a7aab1e.pdf?index=trueIn PDF document text
- https://uploads.strikinglycdn.com/files/7bf9a16d-fec6-415e-85af-16e0f8622449/vedawofanorat.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/ff192078-f7d9-431e-ad95-e7862594d633/gobolefifemu.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00012535.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12535 | 4984 bytes |
SHA-256: 790e9129dfcc4f8d3338078d894fac68de086701f0ac0e7301aa1fea0f5a2d91 |
|||
font_01_sfnt_off0001361f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1361F | 10500 bytes |
SHA-256: 93905578c76ea033c19cc6509114307632f2f939f66c2a5d9b0b244912ef3a73 |
|||
font_02_sfnt_off000159c0.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x159C0 | 4324 bytes |
SHA-256: ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.