MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. Heuristics identified it as a link farm pointing to compromised CMS uploads and disposable hosting, suggesting it's designed to redirect users to malicious sites. The embedded URLs, such as 'https://ketchas.ru/uplcv?utm_term=how+to+reset+a+vivint+thermostat', likely serve as lures for phishing or malware delivery.
Machine Learning
- Nyx PDF Classifier malicious score 0.9990
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ketchas.ru/uplcv?utm_term=how+to+reset+a+vivint+thermostat
- http://bachova-terapia.sk/images/file/98210953857.pdf
- http://gatewayhotelbangkok.com/upfile_hotel/files/dedifutugotupugigu.pdf
- http://careerhack.net/wp-content/plugins/formcraft/file-upload/server/content/files/160883d1aa45e0---sinorivane.pdf
- http://homeopathyhk.com/files/rawolub.pdf
- http://capital96.com/userfiles/file/32218248671.pdf
- http://chinajnbt.com/images/upload/File/ziwizajofonoje.pdf
- http://iwish-cosmetics.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c0122fe9441---wasiribelabigajawawegato.pdf
- http://hodori247.com/uploads/files/fugebazuvakulitekuziwi.pdf
- https://dichvuketoanvn.org/uploads/files/6436416909.pdf
- https://www.physioaktivkramer.de/wp-content/plugins/formcraft/file-upload/server/content/files/16077b9a5b5fcf---18291011655.pdf
- https://www.goldenplanet.dk/wp-content/plugins/formcraft/file-upload/server/content/files/160ec52c429024---30294307776.pdf
- http://cbgnfinance.com/userfiles/file/47780971499.pdf
- http://15fratrowreunion.com/clients/2/2b/2b18ccadde375fd95e9ac2d5db5aaa67/File/23861045411.pdf
- http://baloneacessorios.com/_upload/file///94678150209.pdf
- https://bizdrive.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1/160ace54cdd91b---23102530935.pdf
- http://www.iamgoingto1996.com/wp-content/plugins/formcraft/file-upload/server/content/files/160797489407e8---9478208053.pdf
- http://www.tobywells.org/media/fckdir/file/mikexezopasureruraladatu.pdf
- https://drlanda.hu/user/file/pubudujal.pdf
- http://countrysquirefoods.com/wp-content/plugins/formcraft/file-upload/server/content/files/16077133a0f52f---98461772584.pdf
- https://vdbergelectro.nl/wp-content/plugins/super-forms/uploads/php/files/a23a809749c129528cd80809552c9b94/68860610145.pdf
- http://www.ebsjosepirosamaria.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a2adac3b783---20671914973.pdf
- https://brianhigbielaw.com/UserFiles/file/vilolonupipunanokabomadep.pdf
- http://www.lbf-cosmetics.com/website/wp-content/plugins/formcraft/file-upload/server/content/files/160b37454c7d0f---wanorogusujixuritol.pdf
- https://www.conkite.com/wp-content/plugins/super-forms/uploads/php/files/5bb51550d588c65e56a4ce0964149362/54645518698.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e42c.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE42C | 16792 bytes |
font_01_sfnt_off0000fc3e.bina7e7e5b305a61efa6755e33cb02b171bd591f2e6a8f7a2f14a071f9ed94f29dd |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFC3E | 17084 bytes |
font_02_sfnt_off000128b1.bine4e79733009301b9b68bd990e47a2de12d3934c5723665f28235169175e6bb05 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x128B1 | 10468 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.