MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
This PDF file was identified as malicious by ClamAV and an ML classifier. It functions as a link farm, containing numerous URLs pointing to compromised WordPress upload directories. These links likely lead to phishing pages or further malware downloads, serving as a distribution mechanism for malicious content.
Machine Learning
- Nyx PDF Classifier malicious score 0.9971
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://sakitonus.ru/wp-content/plugins/super-forms/uploads/php/files/079fbd9040f5e741dfdff1501fa90a83/52738992248.pdf
- http://mvclassof1990.com/clients/8/8c/8ca0ba2c7a07c5cd1f21f9fc323c16c5/File/xujobumevif.pdf
- http://www.k-24.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a4494526b77---lakakagifijij.pdf
- http://kaies.cn/upfiles/210619095151233926k0ktts.pdf
- https://encouragingmath.com/wp-content/plugins/super-forms/uploads/php/files/09c6a33e425d62c4da7d9e2d1e1cdf01/raruxakogaxeje.pdf
- https://carthink.org/wp-content/plugins/formcraft/file-upload/server/content/files/160982e7d54f91---32589406997.pdf
- https://www.democratum.com/wp-content/plugins/super-forms/uploads/php/files/d12063ad2153ed722e1f8431b4c9f46c/17890093254.pdf
- http://sonkertrail.org/clients/9/92/9260a3c387aed4615f72c72c3a1da295/File/7858535027.pdf
- https://akdenizokullari.k12.tr/wp-content/plugins/super-forms/uploads/php/files/k4lg32pfgutngqcd8atd25r55t/zuweb.pdf
- https://asiarsolutions.com/userfiles/file/jokurotaze.pdf
- https://www.gasserbush.com/wp-content/plugins/super-forms/uploads/php/files/797ab4351689dc84c97c65dc1659c30c/taragujes.pdf
- http://ovartec.com/wp-content/plugins/formcraft/file-upload/server/content/files/160986a789dabe---16255597138.pdf
- https://iescolumbus.org/wp-content/plugins/super-forms/uploads/php/files/07e8ae1c7b2accf1c6575024b2f686dc/9015018175.pdf
- http://abwingsva.com/uploads/files/25606997604.pdf
- https://www.cedicar.com/wp-content/plugins/formcraft/file-upload/server/content/files/160894bc74edbe---66103857507.pdf
- http://es-umzuege-transporte.de/wp-content/plugins/super-forms/uploads/php/files/315f346de21c3960f38ab9208d7bca32/vorawarapobifadul.pdf
- https://formapolis.it/wp-content/plugins/super-forms/uploads/php/files/b4c617df61bda870a8f19e38346b0f82/87005789342.pdf
- https://ecef-groupe.com/wp-content/plugins/super-forms/uploads/php/files/lkhn1alcshusjpod2biertcl44/15123504229.pdf
- https://aquaticlandscape.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606cbcef4a1f1---dudogenasevivakomuw.pdf
- https://www.basur-tedavisi.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607d654455f2f---67219563923.pdf
- https://baxsporthorses.com/userfiles/file/fejibuziwisobamaf.pdf
- https://feedproxy.google.com/~r/Uplcv/~3/3CAf4wW3hvY/uplcv?utm_term=jack+and+jill+went+up+the+hill+lyrics
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000c48f.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC48F | 16792 bytes |
font_01_sfnt_off0000dca1.bine25f6d09288654e94b4952c6f6084624c51aa880dcc29585e5c7256d4d41bdb4 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDCA1 | 17124 bytes |
font_02_sfnt_off000108ec.bina713e66b5ed142cb96d294cf583ce5805366905155f4a12cbe2ff619886c835c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x108EC | 11004 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.