MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains numerous links to external websites, many of which are hosted on compromised CMS platforms or disposable domains, suggesting a link farm for phishing or malware distribution. The ClamAV detection and ML classifier strongly indicate malicious intent. The document body, though heavily obfuscated, appears to be a lure related to 'Grade 6 maths word problems', aiming to trick users into clicking malicious links.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINKPDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://nomylo.ru/uplcv?utm_term=grade+6+maths+word+problems PDF link annotation
- http://www.191seo.com/wp-content/plugins/formcraft/file-upload/server/content/files/16071c31094139---65924244235.pdfIn PDF document text
- https://www.guestquesttravelmedia.com/wp-content/plugins/super-forms/uploads/php/files/ektos78vp4pr7u6fcpkdleg19p/84701222133.pdfIn PDF document text
- https://childrencareandliteracysociety.org/userfiles/files/fazefawapola.pdfIn PDF document text
- http://www.gainerwindows.ca/wp-content/plugins/super-forms/uploads/php/files/dktr0l7tgo4aa54s621c7imks4/pajaludodagedujodunexe.pdfIn PDF document text
- https://kalatranslation.co.uk/wp-content/plugins/super-forms/uploads/php/files/cn5vph8buod7prmnu1o2b3l244/gedasobinum.pdfIn PDF document text
- https://vallejardin.com/wp-content/plugins/super-forms/uploads/php/files/219a56fad4ca0e49312980d51de2a7a4/38300054590.pdfIn PDF document text
- https://www.tai.gr/wp-content/plugins/formcraft/file-upload/server/content/files/160b4048bba559---24153941238.pdfIn PDF document text
- https://amkboiler.com/wp-content/plugins/super-forms/uploads/php/files/e5f0l2en4nu6at7onva9dv1gm3/55263537220.pdfIn PDF document text
- http://opalsolar.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1607bb0be1010f---86546170027.pdfIn PDF document text
- http://blog.crowdly.com/wp-content/plugins/formcraft/file-upload/server/content/files/160733b89d0fa5---2553201344.pdfIn PDF document text
- https://mobistore.co.nz/wp-content/plugins/super-forms/uploads/php/files/36378c0472279d907f9d3ed8687c9713/rujowuwugoletosaravezeki.pdfIn PDF document text
- http://www.sevenchurchestour.net/seven/wp-content/plugins/formcraft/file-upload/server/content/files/160b66a2b7588a---87504116662.pdfIn PDF document text
- https://www.msolartop.cz/wp-content/plugins/formcraft/file-upload/server/content/files/160b8f6f92e8e5---58337623433.pdfIn PDF document text
- http://aiswaryamatrimonials.com/fck_uploads/file/31891709682.pdfIn PDF document text
- https://kodeac.com/wp-content/plugins/super-forms/uploads/php/files/oc08o9gcuaqsv72hf4l4e7t3io/wuwixinisarewirad.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000db99.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDB99 | 5616 bytes |
SHA-256: 72e407b0af9a7b7827ffaaa68db9bcb63e755a889fed397be3e76be849b08e83 |
|||
font_01_sfnt_off0000ee91.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEE91 | 11516 bytes |
SHA-256: 7c34f996c022e7771bcbe74f5be59fa8889507e7e5274b5f79c0c608affcbe82 |
|||
font_02_sfnt_off000115e8.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x115E8 | 16060 bytes |
SHA-256: 713933360072c9d59346590fad668f98c3603c6d2b72ed941ce85481f6af0b74 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.