MALICIOUS
166
Risk Score
Machine Learning
- Nyx PDF Classifier malicious score 0.8156
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINKPDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://queure.ru/uplcv?utm_term=you+can+be+the+hero+i+can+take+the+fall+lyrics PDF link annotation
- http://syarmarka.ru/userfiles/files/19751589896.pdfIn PDF document text
- http://xn--80ackbssfuieecff0e8c.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/k5jkc4cgap9to006j6dq02uti0/zinikukutukawadomubexoro.pdfIn PDF document text
- https://gccpay.net/wp-content/plugins/super-forms/uploads/php/files/99f11ded621403395c19e7056ee04c9a/83105033818.pdfIn PDF document text
- https://www.grandeprairie.org/wp-content/plugins/formcraft/file-upload/server/content/files/160708f08326e4---mosotalalexijobigekiw.pdfIn PDF document text
- http://scro.ru/pic/file/36228805127.pdfIn PDF document text
- http://szyldkj.com/luodan/images/userfiles/file/diwisidejapesuliwutose.pdfIn PDF document text
- http://entone.es/wp-content/plugins/super-forms/uploads/php/files/f9c85594db05f1affe28e8ab0c28cc87/12657460035.pdfIn PDF document text
- https://canadiancontractorservices.com/wp-content/plugins/super-forms/uploads/php/files/esa0etsab94ev2u99dtu7fve93/389493946.pdfIn PDF document text
- http://projectbudapest.hu/wp-content/plugins/formcraft/file-upload/server/content/files/1607d552a1e7b7---61998869797.pdfIn PDF document text
- http://edanieltour.com/FileData/ckfinder/files/20210702_9163B36B4BEEB3AC.pdfIn PDF document text
- https://www.growxponential.com/wp-content/plugins/super-forms/uploads/php/files/tqhn4ajs9rtidamdsucj1hq8be/givovunabifubijikagamuz.pdfIn PDF document text
- https://www.straightmyteeth.com/wp-content/plugins/super-forms/uploads/php/files/410b5d1af7f2254c0c4d36e142e96d65/18716711821.pdfIn PDF document text
- https://rebel-guitars.com/wp-content/plugins/super-forms/uploads/php/files/fec8e8ad122843e2845002b972fb8a1f/kutitunulezawafurogomoja.pdfIn PDF document text
- http://ajtoablakcentrum.com/_user/file/soxoliminarafaro.pdfIn PDF document text
- http://amtusa.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608496e05f0ce---sigaxuluwinijagavabek.pdfIn PDF document text
- http://praguetransfer.com/files/file/80678729699.pdfIn PDF document text
- https://veritiesinstitute.com/wp-content/plugins/super-forms/uploads/php/files/3b8f26fac239efc9fe03df5828582677/82979492664.pdfIn PDF document text
- https://www.acptechnologies.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b27da6a9fb6---86407646188.pdfIn PDF document text
- https://anukulagrotech.com/userfiles/file/97331112150.pdfIn PDF document text
- https://trichynext.com/wp-content/plugins/super-forms/uploads/php/files/ac6967efceffc0cc2bd6272a57fdcd73/40978952474.pdfIn PDF document text
- http://www.pataniforum.com/admin/jquery/ckfinder/userfiles/files/43414517970.pdfIn PDF document text
- https://motoquadro.de/userfiles/file/tamuworuzegukoledavorute.pdfIn PDF document text
- http://tubietelbar.hu/uploadfile/33925358756.pdfIn PDF document text
- https://plumcourse.com/wp-content/plugins/super-forms/uploads/php/files/3bbda6dc9773cb1808cafef15b5077da/71641950895.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0001e063.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1E063 | 35360 bytes |
SHA-256: 06c962fabf1adb7a6ed3400b1a2b4a538d7c0b33f78975048b6ffd260019f5be |
|||
font_01_sfnt_off000230f4.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x230F4 | 16100 bytes |
SHA-256: cd995502891255dfbcf4afd28e083ab8bfc87dc57603266f4586087dd25ac3fe |
|||
font_02_sfnt_off0002464d.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2464D | 10860 bytes |
SHA-256: 0610873fa01443d283986553f436112c2c8c5d49a8f5cda9cdf3b59398b96bc4 |
|||
font_03_sfnt_off00025f58.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x25F58 | 81476 bytes |
SHA-256: 9805323ab46875830736cacace138e909e608e7404498d80c4a1aaad0cd3fad9 |
|||
font_04_sfnt_off00033201.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x33201 | 16792 bytes |
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.