MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
This PDF document is identified as malicious by ML classifiers and ClamAV, and exhibits characteristics of an advance-fee scam. It contains numerous links, many pointing to compromised CMS upload storage or disposable hosting, suggesting a tactic to distribute fraudulent content or redirect victims. The document's structure and content align with common phishing lures for lottery or parcel scams.
Machine Learning
- Nyx PDF Classifier malicious score 0.9912
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LUREDocument contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://nadrozmerne-sklo.cz/uploads/dejemesirigife.pdf
- http://bagliodeimille.it/userfiles/files/bilomuw.pdf
- http://gospel-pour-100-voix.com/fichiers/newsletter/file/biwaf.pdf
- https://h1t-urlaurora1-turbo.com/contents/files/nivejabifapav.pdf
- https://austarpharma.austarchina.com/upload/files/33787284499.pdf
- http://solarwindependence.com/ckfinder/userfiles/files/29401656.pdf
- https://inprovitecuador.com/ckfinder/userfiles/files/79704116740.pdf
- https://kibledergisi.net/resimler/files/93314227439.pdf
- http://kenshopvn.com/uploads/files/duvagofeluxolejizobidiwav.pdf
- https://nbc.com.vn/ckfinder/userfiles/files/xavexopuwefizewoma.pdf
- https://portalbime.com/UploadedFiles/New/file/91335933112.pdf
- https://petpetmates.com/files/editor/file/72501664230.pdf
- https://lamaisonducoeur.ca/upload/editor/file/fabupidobebifugopat.pdf
- http://stopasbestos.ca/wp-content/plugins/formcraft/file-upload/server/content/files/161348d6a4921f---31721539129.pdf
- http://www.kissdocs.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1613eca0206b60---82579412776.pdf
- https://n-tlg.com/files/file/68245257543.pdf
- https://www.yoursurveysurveyors.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/16133fd7bc2fc8---5194375597.pdf
- http://atel-j.nl/uploads/files/gutaberolitab.pdf
- http://noticiascgnews.com.br/ckfinder/userfiles/files/23747730796.pdf
- http://webs123.com/userfiles/file/49285474614.pdf
- https://arendic.cl/files/datulonunadazibov.pdf
- http://umffz21.ru/admin/ckfinder/userfiles/files/75112282454.pdf
- http://smartcookieacademy.com/wp-content/plugins/formcraft/file-upload/server/content/files/161409b3637eb6---86266470522.pdf
- https://kvzriu.org/images/file/3069603611.pdf
- http://diagonal.org.ar/wp-content/plugins/formcraft/file-upload/server/content/files/1613fc8661709f---93266681216.pdf
- https://allcondosales.rodeodrivecondosale.com/userfiles/files/72631303046.pdf
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/cv9VXjIrmdE/uplcv?utm_term=how+to+flash+android+phone+using+power+button
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ecfa.bin16fa51c9d392a397cfb014a50b6e7108abc03b12abd4523dc04442d8b8d06a96 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xECFA | 11096 bytes |
font_01_sfnt_off00010657.bin6091145467f1632653bcfb354d8f6d782f2276148ff70c785c88c8bf52b980f7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10657 | 17768 bytes |
font_02_sfnt_off000134a1.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x134A1 | 16792 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.