MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file contains numerous embedded URLs that point to compromised WordPress sites. These sites, in turn, host other PDF files, suggesting a link farm designed to distribute malicious content or lead users to phishing sites. The ML classifier strongly indicates malicious intent, and the structure of the links points towards a coordinated effort to host malicious files on compromised infrastructure.
Machine Learning
- Nyx PDF Classifier malicious score 0.9899
Heuristics 5
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://philabc.ru/uplcv?utm_term=sd+formula+for+ungrouped+data
- http://snookerfootball.eu/wp-content/plugins/formcraft/file-upload/server/content/files/16075a14c8e255---linarurijedowatogab.pdf
- https://brylka-kfz.de/wp-content/plugins/formcraft/file-upload/server/content/files/1607ef95ed0586---58888006229.pdf
- http://optimus.org.au/wp-content/plugins/formcraft/file-upload/server/content/files/1608174b46c78e---52011991881.pdf
- http://aliancegroup.su/wp-content/plugins/formcraft/file-upload/server/content/files/1608c7734dd6fc---xivubuladaju.pdf
- https://www.couleurs-et-jardin.fr/wp-content/plugins/formcraft/file-upload/server/content/files/1607f0a5771bb0---32151589953.pdf
- https://www.keystonecare.co.uk/wp-content/plugins/super-forms/uploads/php/files/aa96f0c5abbc9e9da861f02d650cc3c7/wezafevajex.pdf
- http://www.champcaregivers.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608013535f461---beputopitik.pdf
- https://carpanea.it/wp-content/plugins/super-forms/uploads/php/files/9493d2379ec5213a93b3441301443f7b/7459818062.pdf
- http://birons.net/wp-content/plugins/super-forms/uploads/php/files/2f2668efdba19b7e6427b42a5472e767/tovedilizoborezowuwi.pdf
- http://oneself.pro/wp-content/plugins/formcraft/file-upload/server/content/files/1608624133ddf7---dakezolar.pdf
- http://localhomesales.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160ac181cca850---91819188359.pdf
- https://cr2tek.com/userfiles/Proj_Name//files/gijuzokudupelosesonumisex.pdf
- https://cambodiadriverservice.com/userfiles/file/43871414182.pdf
- https://asset-books.com/userfiles/file/muzabupexokosuk.pdf
- http://myexamadvisor.com/fck_uploads/files/57129239711.pdf
- https://marosme.ro/hirek/file/71203107562.pdf
- http://amwordpress.org/wp-content/plugins/formcraft/file-upload/server/content/files/160891cab6110c---42493054897.pdf
- http://global-gypsum.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b322a7ef71d---73375305249.pdf
- https://neavocats.com/wp-content/plugins/super-forms/uploads/php/files/a2c7b161b0986bfd47009339864aa552/jetakekozotut.pdf
- https://www.golaw.net/wp-content/plugins/formcraft/file-upload/server/content/files/16081e16176b18---99433461166.pdf
- https://menlopark.com/wysiwygfiles/file/61331294001.pdf
- https://www.histoiresdegroupes.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b0abd42a577---fuvopoveb.pdf
- http://tuanayapim.com/rsm/files/5175142263.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00014a2b.bin3fcffc10abf1d827d53555d398884c8907de0b4d863da55faf488fad329ffdb6 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x14A2B | 18604 bytes |
font_01_sfnt_off00017b03.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x17B03 | 16792 bytes |
font_02_sfnt_off00019314.bin61893c6f5a4ed8be90b59e62ba5f7845fe3f782be61d2927f64273611613f2a4 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x19314 | 16160 bytes |
font_03_sfnt_off0001a8a4.bin6e7b05b7ecad6a50ae87c0c35d329c704263a9ead3a22f8cffde3719681ef8aa |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1A8A4 | 10756 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.