MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The PDF contains a lure to install a browser extension or update, a common social engineering tactic for credential theft or malware delivery. Several heuristics indicate the PDF is part of a link farm hosted on compromised websites, suggesting a phishing or malware distribution campaign. While no scripts were directly extracted, the PDF structure and embedded URLs point towards malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 0.9947
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Browser extension / update installation lure high SE_BROWSER_INSTALL_LUREDocument tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://sirikulsteel.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613c9168a7841---52288780479.pdf
- http://gonzagafood.com/userfiles/files/jusuliduruwuxun.pdf
- https://dichvuketoanvn.org/uploads/files/barejuvolameredal.pdf
- http://socialbomjesus.org.br/wp-content/plugins/formcraft/file-upload/server/content/files/1612ff82d28fc4---xubololetufibiguloda.pdf
- http://odpadykj.cz/UserFiles/File/nuvewevopugiveva.pdf
- https://femagnet.com/upload/edu/article/file/tijorosugafaxe.pdf
- http://altiro.nl/home/tjerk/file/56666850261.pdf
- https://www.koreayokogawa.com/ckfinder/userfiles/files/96081681376.pdf
- http://nickelsgrafikdesign.de/ckfinder/userfiles/files/pepakil.pdf
- https://appchecar.com/ckfinder/userfiles/files/sowebik.pdf
- http://www.tempshift.com/app/webroot/files/uploadimagesfile/mezemanafobefenodinuwifiz.pdf
- http://rasmesafar.net/basefile/basefiles/42637144391.pdf
- https://www.vibrationmonitoring.asia/wp-content/plugins/formcraft/file-upload/server/content/files/1613b83a4ddd86---nuxixokoxenenuziri.pdf
- https://big-affaires.com/img/pics/files/wisijatitaworobudosav.pdf
- https://monarchwinemerchants.com/wp-content/plugins/super-forms/uploads/php/files/86ed70575a3c1829d571a4de9b8de4b2/dufipurimirulasorode.pdf
- https://www.paparazzirestaurant.com.au/wp-content/plugins/super-forms/uploads/php/files/a9a72e4d3c6e8b6e6b5a0e73c27e1e6f/21572581876.pdf
- https://sindicav.com.br/ckeditor/ckfinder/userfiles/files/9150398207.pdf
- https://callmarkinvestments.com/callmark/files/pegovo.pdf
- http://plncse.hu/php_data/file/85315048250.pdf
- https://mtmhomeschool4art.com/mycms/uploadedimages/editorUploadedImages/file/72799246769.pdf
- http://www.allatpatikapecs.hu/images/file/40703829004.pdf
- https://aldwalia.com/userfiles/files/vaxapokawabed.pdf
- http://dreamwith.gni.kr/ckupload/files/sebidasakokikigukez.pdf
- http://baracenter.be/userfiles/file/2812956361.pdf
- https://feedproxy.google.com/~r/skout/mBVl/~3/3vuEKuznOb8/uplcv?utm_term=free+200+likes+on+instagram
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ebc8.bin1175ed837481ec1711d36f94e065da5a4cae4c037b74907a785f8deabb3693c4 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEBC8 | 10760 bytes |
font_01_sfnt_off00010493.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10493 | 16792 bytes |
font_02_sfnt_off00011ca5.binc3309391c72a50d18a412b63303069e09038dccd9133f7c89e284f563717332d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11CA5 | 19256 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.