MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The file was detected by ClamAV as Pdf.Phishing.Trojan and ML classifiers flagged it as malicious. It contains numerous links to compromised websites, suggesting a phishing or malware distribution attempt. The presence of PDF-specific heuristics like 'PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM' further supports this, indicating the document is hosted on potentially malicious infrastructure.
Machine Learning
- Nyx PDF Classifier malicious score 0.7549
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
QR-code redirect lure medium SE_QR_LUREDocument instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
-
Urgency / deadline lure low SE_URGENCY_LUREDocument contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://autosofortkauf.ch/wp-content/plugins/super-forms/uploads/php/files/slo70sm4k0n5h803gpa6kh4kci/vugexetalizudowag.pdf
- http://weilandensemble.nl/ckfinder/userfiles/files/kigugutotogi.pdf
- http://countrysquirefoods.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bfe72fbb914---30308940738.pdf
- http://ventilatoryzlin.cz/images/file/22839730103.pdf
- http://thegibbsfamilyreunion.com/clients/d/d9/d929505c7faf6263097cc97620c39d65/File/5037377064.pdf
- https://majorsagilekvaros.hu/uploads/file/mewubosefeturonopota.pdf
- https://www.nestroots.com/wp-content/plugins/super-forms/uploads/php/files/m4i6jsfo7btalh4e298gu30c34/61321363449.pdf
- http://inlikeflintlogistics.com/wp-content/plugins/formcraft/file-upload/server/content/files/160762926239d8---61894476779.pdf
- https://esteticarcare.com/wp-content/plugins/super-forms/uploads/php/files/264dafeafe7c0bea543def956a90e0b7/wiradikev.pdf
- https://halobysciton.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608532d430bea---lonixarinupeg.pdf
- https://advancedbusiness.co/wp-content/plugins/super-forms/uploads/php/files/d034fb349e13e7e9144dadd4bf169418/4602734445.pdf
- https://www.freshstartdigitalmarketing.com/wp-content/plugins/super-forms/uploads/php/files/fa2ba0153e81763d0a70f8490d1de212/97583983372.pdf
- https://gpuhub.net/wp-content/plugins/super-forms/uploads/php/files/1bv8agpqlsum588g6j0eark1do/75332566979.pdf
- http://www.putnamtaxi.net/wp-content/plugins/formcraft/file-upload/server/content/files/160bc72ff321e6---nuvevivuxisewozob.pdf
- https://www.acptechnologies.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608abbd267c4a---73572890908.pdf
- http://cnpair.com/userfiles/file/25031923505.pdf
- http://besttailor.info/ckfinder/userfiles/files/bebomutuzozovojot.pdf
- http://cortabellanews.com/userimages/fekadiduj.pdf
- http://www.kliningstroy.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160bec5cad40e3---93671161040.pdf
- http://cambridgekapurthala.com/damana/userfiles/file/vufituje.pdf
- https://affordans.com/ckfinder/userfiles/files/visofivafufinatosase.pdf
- https://nicemexico.net/wp-content/plugins/formcraft/file-upload/server/content/files/16083a45025c9f---zibisepaforedodo.pdf
- http://optimus.org.au/wp-content/plugins/formcraft/file-upload/server/content/files/1609ab934076c0---rodidegokujuxotixotuvi.pdf
- http://alibabashipping.com/userfiles/file/13577580788.pdf
- http://longarmacademy.net/fckeditor/userfiles/file/gofewubowadunew.pdf
- https://feedproxy.google.com/~r/skout/mBVl/~3/A3Ryygt5BCM/uplcv?utm_term=practical+aviation+security+pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00063e57.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x63E57 | 16792 bytes |
font_01_sfnt_off0006566e.bin6be6077f8f3597d448c52dae7c20f5ac8f5226c720ee2031952e2846bac1c3f9 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6566E | 10892 bytes |
font_02_sfnt_off00066fc8.binbf85ce1a90eee3e3b68871d63fc869bf2df12e7c8fafdbc9772bbbe919639360 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x66FC8 | 20236 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.