MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF document contains numerous links to external websites, many of which appear to be compromised WordPress installations used for hosting malicious files. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' indicates the document likely provides instructions and a password to decrypt a malicious archive, a common tactic to evade gateway security. The ML classifier and ClamAV detection strongly suggest malicious intent, likely related to phishing or malware distribution.
Machine Learning
- Nyx PDF Classifier malicious score 0.9940
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://infrive.ru/uplcv?utm_term=nct+127+chain+mp3+download PDF link annotation
- http://theydeserveastamp.org/wp-content/plugins/formcraft/file-upload/server/content/files/160d65c2ee7ac5---simobulajeporogulawu.pdfIn PDF document text
- http://yuseigachi.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160c3226142032---jidefegujufiduf.pdfIn PDF document text
- http://hongshengfish.com/uploadfiles/20210516/210516182253115838rnnaj9a07gjw.pdfIn PDF document text
- http://becro-plast.hr/wp-content/plugins/formcraft/file-upload/server/content/files/160782ec64a54a---63235277075.pdfIn PDF document text
- http://gabinetortodontyczny.eu/userfiles/file/19379035562.pdfIn PDF document text
- https://vinisfarm.com/wp-content/plugins/super-forms/uploads/php/files/48fd735e6d1d2d26500ba60824ba98f3/vagebapuxuludenawune.pdfIn PDF document text
- http://www.mtpartnersfl.com/wp-content/plugins/formcraft/file-upload/server/content/files/160740bb7ebe8e---53588498858.pdfIn PDF document text
- http://redwoodpwr.com/wp-content/plugins/super-forms/uploads/php/files/hbs7i5ttsa39te6uf61mltq6n0/75826318734.pdfIn PDF document text
- https://cashmeredreams.com/wp-content/plugins/super-forms/uploads/php/files/7731d078716ff29e6d95603f3b6a2b51/subuvuniwoj.pdfIn PDF document text
- https://refour.dk/wp-content/plugins/super-forms/uploads/php/files/82a21919153d9d5ad8bcddd2b9bb6931/79411687367.pdfIn PDF document text
- https://rhdplumbing.com/wp-content/plugins/super-forms/uploads/php/files/b32058ec18a4a50752d57e009286f18c/terenemofasififubo.pdfIn PDF document text
- http://www.patriarca-batiment.com/ressource/site-image/files/dirowukona.pdfIn PDF document text
- https://foxtailmag.net/wp-content/plugins/super-forms/uploads/php/files/f8b797c28f8e8ca9383466533c8c32b6/bekewod.pdfIn PDF document text
- http://recamonde.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160b29d0db837a---89981507753.pdfIn PDF document text
- https://www.zulilighting.com/wp-content/plugins/super-forms/uploads/php/files/ded9b6afbcc123c33232436ad1f2aff5/68186924225.pdfIn PDF document text
- http://thm-holding.ru/wp-content/plugins/super-forms/uploads/php/files/5276997413f4572eee5e82c3c00db7b5/46234812699.pdfIn PDF document text
- https://realimpacto.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160ae657b0b74d---81895192911.pdfIn PDF document text
- https://lakecountyoralsurgery.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607b33b8b23ed---masivesotezemesujox.pdfIn PDF document text
- https://www.cfo-search.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a78056150a0---gevewomikikapaf.pdfIn PDF document text
- http://canxetaidientu.com/images/file/fefajux.pdfIn PDF document text
- http://goldnumber.info/userfiles/file/kaligoluwelajewob.pdfIn PDF document text
- http://www.blackhillsdancecentre.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609ae5b569093---51166300016.pdfIn PDF document text
- http://www.davidwoodpersonnel.com/wp-content/plugins/formcraft/file-upload/server/content/files/160843f5aed86b---mufafedavesetipujik.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000c2e7.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC2E7 | 16792 bytes |
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
|||
font_01_sfnt_off0000dafe.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDAFE | 10836 bytes |
SHA-256: bd0fe43b7536a3b763c60eb0a0ea05686148bd1e213c1a46c202cb7fed8a23c7 |
|||
font_02_sfnt_off0000f3f6.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF3F6 | 2572 bytes |
SHA-256: dbd0f199df7fb494cac436db0cc82a6163a31a095be68b0a990836b5667da31f |
|||
font_03_sfnt_off0000fee1.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFEE1 | 17292 bytes |
SHA-256: ea9f844711e822c33125dd3eecea4acd7957fb6122b10ab7fa90936e1c3f8de7 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.