MALICIOUS
144
Risk Score
Machine Learning
- Nyx PDF Classifier suspicious score 0.3450
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINKPDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://wirut.co.za/XSRYdR1H?utm_term=catalina+iphone+update++progress PDF link annotation
- http://atmaircenter.com/lb/userfiles/files/lekirovuwizudapok.pdfIn PDF document text
- http://osmed.cz/app/webroot/files/files/67987325636.pdfIn PDF document text
- http://neonatal-surgery.ru/userfiles/files/pagikidopave.pdfIn PDF document text
- https://lynnesnaturaltreats.com.au/wp-content/plugins/super-forms/uploads/php/files/b7c2cfca6936dae5744d350a619aab8c/geraxifulexati.pdfIn PDF document text
- http://autofox.lt/ckfinder/userfiles/files/kewob.pdfIn PDF document text
- http://cameronhaddock.com/wp-content/plugins/formcraft/file-upload/server/content/files/161c6a3e77293f---puvurizajofuf.pdfIn PDF document text
- http://ranaghatpchsschool.org/userfiles/file/30910170641.pdfIn PDF document text
- http://adria-ex.com/images/blog/file/86759078026.pdfIn PDF document text
- https://czus-lukasa.sk/userfiles/file/tutipesifupudevevexativob.pdfIn PDF document text
- http://doubler-son-capital.com/photos/files/39662463435.pdfIn PDF document text
- https://mamproducciones.es/wp-content/plugins/formcraft/file-upload/server/content/files/1613ec6fba7991---sedimozarafopipasika.pdfIn PDF document text
- https://er-cardiff.com/eurostyl/photos/file/kojiwusujegurakugope.pdfIn PDF document text
- http://irodaszer.lukinserv.hu/file/37829341141.pdfIn PDF document text
- https://www.kidilangues.fr/js/kcfinder/upload/files/roserofipuko.pdfIn PDF document text
- https://biomedchita.ru/imeg_master/file/27171754024.pdfIn PDF document text
- https://smartcirclegroup.com/userfiles/file/makajilalatifaxibives.pdfIn PDF document text
- https://galaxytraining.examinationonline.com/files/84528633526.pdfIn PDF document text
- http://undergroundspitters.nl/kcfinder/upload/files/jesonuxuposalowebuvuxujos.pdfIn PDF document text
- http://ksklinika.ru/ckfinder/userfiles/files/92409778617.pdfIn PDF document text
- https://supportsurgical.com.br/assets/kcfinder/upload/files/38295721442.pdfIn PDF document text
- https://willes-gb.com/uploads/files/202110240717478778.pdfIn PDF document text
- https://techielingo.com/fck_uploads/files/19031960074.pdfIn PDF document text
- https://trungtammaychieu.com/ad-min/js/libs/kcfinder/upload/files/52763685947.pdfIn PDF document text
- http://www.movingintofreedom.com/wp-content/plugins/formcraft/file-upload/server/content/files/16165af4bd8ff7---xamerujunuwu.pdfIn PDF document text
- https://www.hungarianassociation.com/wp-content/plugins/formcraft/file-upload/server/content/files/161822836cf259---wafupe.pdfIn PDF document text
- https://gerbangkuis.com/contents/files/34791078988.pdfIn PDF document text
- http://ordinate-ltd.com/file_media/file_image/file/nepejuwulasuzabejewipu.pdfIn PDF document text
- https://multimetrics.com/ckfinder/userfiles/files/2409027053.pdfIn PDF document text
- https://unixsensor.com/uploads/files/202112141746508405.pdfIn PDF document text
- http://kartelabasligi.com/images_upload/files/47879207397.pdfIn PDF document text
- http://huzatfokozo.hu/editor_up/samudob.pdfIn PDF document text
- https://ihappywash.com/uploads/files/202112052230169093.pdfIn PDF document text
- http://108homed.com/userfiles/files/86386958764.pdfIn PDF document text
- https://b2cdemo.tickets.com/content/files/70204359953.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn extracted file (font_00_sfnt_off0006360e.bin)
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn extracted file (font_00_sfnt_off0006360e.bin)
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0006360e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6360E | 16560 bytes |
SHA-256: 924ad5cb737cfd9a34472b2046831991df4d3950e5f0d7b552a18309318c2ee9 |
|||
font_01_sfnt_off00064d29.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x64D29 | 20316 bytes |
SHA-256: 505c310a38f05a11995bc4b4e3b6f6b9be6119efc5177666141801b3a7634ffa |
|||
font_02_sfnt_off00068385.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x68385 | 16336 bytes |
SHA-256: adf38969d40f501586e0caf93d33991e243baeeecfe575c4831cdbf64b7044fa |
|||
font_03_sfnt_off0006998d.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6998D | 10800 bytes |
SHA-256: 18ce605c7cccedf4853c410ce3a4fc21dbaddc1942220cd97607936a512d6eb2 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.