MALICIOUS
134
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF contains numerous links to external websites, many of which are hosted on compromised WordPress installations or disposable domains, indicating a link farm designed to distribute malicious content. The presence of algorithmically generated URLs and the ML classifier's flagging further support a malicious classification. No scripts were extracted, but the overall structure suggests an attempt to redirect users to potentially harmful sites.
Machine Learning
- Nyx PDF Classifier malicious score 0.5251
Heuristics 5
-
PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINKPDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://tyextractor.com/d/files/79613693630.pdf In PDF document text
- http://choinka4x4.org/cms/files/file/jusoxuxojoju.pdfIn PDF document text
- https://asiastudy.in/ckfinder/userfiles/files/gokub.pdfIn PDF document text
- https://biogenetixpharma.com/ci/userfiles/files/domuzejofeziwomebejitizuw.pdfIn PDF document text
- https://thejasmineway.net/wp-content/plugins/super-forms/uploads/php/files/f2gfdrap4sptvh6pd3c1fcgl0c/xulubujorinajokodeg.pdfIn PDF document text
- http://1yunnan.com/ckfinder/userfiles/files/3198227663.pdfIn PDF document text
- http://tamlaproject.com/userData/board/file/85339472198.pdfIn PDF document text
- http://akkoryazilim.com/userfiles/file/zivaviponiwaw.pdfIn PDF document text
- http://phrabat.net/UserFiles/File/2333926967.pdfIn PDF document text
- https://gamletaarnhuset.no/wp-content/plugins/formcraft/file-upload/server/content/files/160c8817b6c084---puzudeka.pdfIn PDF document text
- https://finestblogger.de/wp-content/plugins/super-forms/uploads/php/files/5q3m4175q460g8t88m1vttjp4m/24681333756.pdfIn PDF document text
- http://mirembeestate.co.ug/wp-content/plugins/formcraft/file-upload/server/content/files/160941273f247d---gomakonawezigejinoso.pdfIn PDF document text
- https://bringem.de/wp-content/plugins/super-forms/uploads/php/files/da6abb90c26147a0c82e996a5ec12e7b/42875649123.pdfIn PDF document text
- http://kursadowicz.pl/Upload/file/woxanidoro.pdfIn PDF document text
- https://www.getfitcrew.com/wp-content/plugins/formcraft/file-upload/server/content/files/16070185583d97---51919784672.pdfIn PDF document text
- http://daeryuhealthcare.com/ckupload/files/69414071338.pdfIn PDF document text
- https://www.plsok.com/wp-content/plugins/super-forms/uploads/php/files/9cff4dee561f20237f52427b08b93eae/49016501989.pdfIn PDF document text
- http://www.bandungmesin.com/file/72888446480.pdfIn PDF document text
- http://www.rec39.ru/wp-content/plugins/super-forms/uploads/php/files/50b62b8f5eb36008c3d3bf38d4d746a1/fisuzeka.pdfIn PDF document text
- https://cal.lighting/wp-content/plugins/super-forms/uploads/php/files/22b710414e1caa60a71fed9fbadd57d5/sugekuxopezeb.pdfIn PDF document text
- https://learningsolution.ca/userfiles/files/pofulex.pdfIn PDF document text
- http://kubablimel.pl/Image/files/kanozufukopi.pdfIn PDF document text
- http://thucphamchucnangmy.vn/uploads/files/28454791470.pdfIn PDF document text
- https://ntpuvoice.com/ckfinder/userfiles/files/90690099635.pdfIn PDF document text
- http://www.sunarnuricomuisvealisverismerkezi.com/wp-content/plugins/super-forms/uploads/php/files/lpca1snp9fbrfar0ttq9hucrs5/nawavadakisikivaliwule.pdfIn PDF document text
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/3vuEKuznOb8/uplcv?utm_term=fast+acting+benzodiazepinesPDF link annotation
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e560.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE560 | 16880 bytes |
SHA-256: f7c0ccfdbc4584852f8b3326b66353b48c00f030d865972d607978da827e57b0 |
|||
font_01_sfnt_off00011149.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11149 | 16792 bytes |
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.