MALICIOUS
174
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The PDF contains embedded JavaScript and multiple external URLs, including one pointing to a compromised WordPress site, indicating a phishing or malware distribution attempt. The ML classifier and ClamAV detection strongly suggest malicious intent. The embedded JavaScript likely facilitates the download and execution of a second-stage payload from the identified URLs.
Machine Learning
- Nyx PDF Classifier malicious score 0.6316
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINKPDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://tevav.co.za/XSRYdR1H?utm_term=cassandra+for+windows+8.+1+64+bit PDF link annotation
- http://taiwanquinoafamily.com/shopadmin/upload/files/kebabo.pdfIn PDF document text
- https://braindevelopmentmaps-org.neurondevelopment.org/userfiles/files/12754961129.pdfIn PDF document text
- http://exms.fr/sites/default/files/file/84159348389.pdfIn PDF document text
- https://www.hadlowsecurityshutters.com/wp-content/plugins/super-forms/uploads/php/files/3e1f0190145008fb7f5d152e79cd5407/21217287373.pdfIn PDF document text
- https://equator-maritime.com/userfiles/file/94476410549.pdfIn PDF document text
- https://www.datacom.com.br/assets/admin/ckeditor/kcfinder/upload/files/jokulogobalemizajo.pdfIn PDF document text
- http://studiozammuner.eu/userfiles/files/salijixeletexejozuvud.pdfIn PDF document text
- http://www.movingintofreedom.com/wp-content/plugins/formcraft/file-upload/server/content/files/1621026563246e---kemotojatevopubudaxeset.pdfIn PDF document text
- http://belovosushi.ru/files/wewivejaduzilezetizowap.pdfIn PDF document text
- https://e-s-c.fr/lib/ckeditor/kcfinder/upload/files/dewubijetijifewarule.pdfIn PDF document text
- http://hotelparkplaza.in/app/webroot/js/kcfinder/upload/files/9566660836.pdfIn PDF document text
- http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/16221c5de3be3e---86428578629.pdfIn PDF document text
- http://antwerp-rentals.com/wp-content/plugins/formcraft/file-upload/server/content/files/16210c55c35bdb---mareporufawowux.pdfIn PDF document text
- http://fnb-concepts.com/images/uploads/files/24018554406.pdfIn PDF document text
- http://hotelpenza58.ru/ckfinder/userfiles/files/17722770646.pdfIn PDF document text
- https://wonkingchina.com/d/files/30610814405.pdfIn PDF document text
- https://sagarexpress.com/userfiles/file/disewemirobe.pdfIn PDF document text
- http://emannsltd.com/userfiles/68570993216.pdfIn PDF document text
- http://studiolorenzino.eu/userfiles/files/15491992480.pdfIn PDF document text
- http://nerezove-kuchyne.cz/UserFiles/File/wawilosurotomesote.pdfIn PDF document text
- http://hipscycle.simplywebeditor.com/site-uploads/72567849460.pdfIn PDF document text
- https://basisnomor.com/contents/files/75328885228.pdfIn PDF document text
- http://makaroma.fr/upload/file/11532776393.pdfIn PDF document text
- http://netcentricnj.com/ckfinder/userfiles/files/wuguve.pdfIn PDF document text
- http://autosoftware.company/autoresponders_images/files/9670121482.pdfIn PDF document text
- https://www.nysc.lk/dmin/include/ckeditor/kcfinder/upload/files/31193088232.pdfIn PDF document text
- http://grafika.szklo-lux.pl/nowa/userfiles/file/52963389422.pdfIn PDF document text
- http://kargo-box.com/uploads/files/30948866837.pdfIn PDF document text
- http://motopujcovnateplice.cz/userfiles/file/nobakefubigo.pdfIn PDF document text
- https://bashmak55.ru/ckeditor/kcfinder/upload/files/17719060669.pdfIn PDF document text
- http://vietnaminsight.biz/ckfinder/userfiles/files/83446788845.pdfIn PDF document text
- http://style4.allwebeasy.com/userfiles/files/kuvelakovobiku.pdfIn PDF document text
- http://ancheng-medical.com/uploadfile/files/24485930475.pdfIn PDF document text
- http://polletnv.be/uploads/files/jepanatotatoxirumixeduv.pdfIn PDF document text
- http://xn----7sba5bgeydgh6hd.xn--p1ai/upload/files/nifuj.pdfIn PDF document text
- https://shturnev.com/files/foFKED/file/13769849508.pdfIn PDF document text
- https://kingcom.edesign.fr/gr33/web/uploads/assets/file/18992476626.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0003b14a.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x3B14A | 16560 bytes |
SHA-256: 924ad5cb737cfd9a34472b2046831991df4d3950e5f0d7b552a18309318c2ee9 |
|||
font_01_sfnt_off0003c86a.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x3C86A | 10996 bytes |
SHA-256: 19fc7bb8fcbe243aab12f8db0a9f17da38a080c0745dc000fd5e65285ca03888 |
|||
font_02_sfnt_off0003e234.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x3E234 | 17900 bytes |
SHA-256: 83c32b4765bcbbf4321960686c71317690b4cdad93600416601b493985b8e344 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.