MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and by an ML classifier as malicious. Heuristics indicate the document functions as a link farm, pointing to multiple compromised WordPress upload storage locations and disposable hosting. These links likely serve as lures for phishing or to download further malicious content.
Machine Learning
- Nyx PDF Classifier malicious score 0.9951
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://rhagro.com.mx/wp-content/plugins/super-forms/uploads/php/files/1798bcead9d2f73e3b541ce7f934c5e0/59446447298.pdf
- http://aryajob.com/user_upload/file/jokirokuranabopidur.pdf
- https://unosms.us/userfiles/file/83162242996.pdf
- http://voszveszprem.hu/_user/file/kafojaxilolakene.pdf
- http://accurateverdicts.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609c30ed33f42---62502657549.pdf
- http://averon.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1606ed82664b33---80372533190.pdf
- https://www.aserspa.net/wp-content/plugins/super-forms/uploads/php/files/du8ms18s7mbh77a1mpdsbesrn1/natizofixaliwi.pdf
- https://kltccompany.com/ckfinder/userfiles/files/95677376334.pdf
- https://givemeit.ru/wp-content/plugins/super-forms/uploads/php/files/10b013eef404bcc3bc9b6fd96325ba3c/47172535084.pdf
- http://www.loockuniformes.com.br/home/wp-content/plugins/formcraft/file-upload/server/content/files/1608f30ec3788f---jewixijajodok.pdf
- http://www.klpreschool.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a017e003267---54520417805.pdf
- https://trsbarriersdirect.com/wp-content/plugins/super-forms/uploads/php/files/sao6jbh1n1arainepk0aptoh8k/20519011243.pdf
- http://biodent.ro/m4fm_files/m4news/ck-uploads-files/19991419720.pdf
- https://centrobrands.com/wp-content/plugins/super-forms/uploads/php/files/2e112fb9e3821e0e6518f12e66bc7cb5/53085902317.pdf
- https://wills.sg/wp-content/plugins/super-forms/uploads/php/files/ce1a9dc8f337fe925cf0068a2c38e725/5973499395.pdf
- http://esejsc.com/upload/files/sadobug.pdf
- http://www.cuadernos.in/wp-content/plugins/formcraft/file-upload/server/content/files/1607a33dda4fc6---zagafedo.pdf
- http://albino-pitti.com/pub_img/file/98837322335.pdf
- https://kes-stv.ru/wp-content/plugins/super-forms/uploads/php/files/49823f8acd4d07aceeacce991c307533/zelezu.pdf
- http://backkwang.com/userData/board/file/tupaxunegosoxaruj.pdf
- https://alcc.vn/wp-content/plugins/super-forms/uploads/php/files/olfuofm8ms2n25463l5jvmdhgj/10474109043.pdf
- http://izdepskifamily.com/clients/1/1a/1adacdf247316bc4617b3617d965acc7/File/fusepunikonozanonejenuv.pdf
- http://willtorock.com/wp-content/plugins/formcraft/file-upload/server/content/files/16080371ed0024---gakiwe.pdf
- https://mziagroup.com/wp-content/plugins/super-forms/uploads/php/files/4b7vmmn9imdo8mhb7sb4i938ac/lujuxoj.pdf
- https://feedproxy.google.com/~r/skout/mBVl/~3/Om9ozkHLxGw/uplcv?utm_term=yearly+rate+of+return
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000c604.bin9f115b71efa5bea3e7982a32355b3c1ab1e5b70996dc3599036c3ae2ca6c8024 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC604 | 15916 bytes |
font_01_sfnt_off0000eee9.bin787a5777bcad2ce6205f6f2b4aa5b1244b1dd3d10d3e88fe69cdf65c69e0b831 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEEE9 | 10144 bytes |
font_02_sfnt_off000105c1.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x105C1 | 16792 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.