MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a high number of external links, many pointing to compromised WordPress sites and disposable hosting, indicating a likely phishing or malware distribution attempt. The ClamAV detection and ML classifier strongly suggest malicious intent. The document body is heavily obfuscated and appears to be non-readable content generated by wkhtmltopdf, further supporting the malicious nature of the file.
Machine Learning
- Nyx PDF Classifier malicious score 0.9860
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINKPDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://queure.ru/uplcv?utm_term=to+be+physically+fit PDF link annotation
- http://sieuthivatlieuhoanthien.com/upload/files/94295842273.pdfIn PDF document text
- https://alphaveneers.co.uk/wp-content/plugins/super-forms/uploads/php/files/7459ed089aef1de5953065d67a1d7432/30132728731.pdfIn PDF document text
- https://atlasautoglass.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c8aeb401959---76618882837.pdfIn PDF document text
- http://andrelandberg.com/userfiles/file/99283153962.pdfIn PDF document text
- http://grupogmec.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607671bcb38e4---19857405914.pdfIn PDF document text
- http://www.next-conseil.fr/wp-content/plugins/formcraft/file-upload/server/content/files/160d00ce6b5f4f---44208890641.pdfIn PDF document text
- http://kondicionery-dolgoprudny.ru/upload_picture/file/47545426813.pdfIn PDF document text
- http://lhs1965.com/clients/880801/File/jalofamuzip.pdfIn PDF document text
- https://ivfnna.gr/wp-content/plugins/super-forms/uploads/php/files/ad9252b9e8a2b8ac9f7b209b115288c3/4176256726.pdfIn PDF document text
- http://zhengfutz.com/v15/Upload/file/20215242149359690.pdfIn PDF document text
- https://www.andeanskyline.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609230508d49b---daduzabetituvuwaf.pdfIn PDF document text
- http://ekolojikweb.net/upld/userfiles/file/25578856280.pdfIn PDF document text
- http://conwaychristian.org/wp-content/plugins/formcraft/file-upload/server/content/files/1607923f223160---7695696348.pdfIn PDF document text
- https://www.lindopoint.it/wp-content/plugins/super-forms/uploads/php/files/ebd6da1a9cb0a97103d816a15d942f05/xotamowekepoxazig.pdfIn PDF document text
- http://beytarimcilik.com/admin/editor_resim/file/84893912523.pdfIn PDF document text
- https://gz-topstar.com/wp-content/plugins/super-forms/uploads/php/files/67e5187581364d2fa42885b12bb8f471/14346618363.pdfIn PDF document text
- http://www.belladermeestetica.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160831612769b9---95950095553.pdfIn PDF document text
- https://landlorddebtadvisory.com/wp-content/plugins/super-forms/uploads/php/files/9uff2sorm2ioaim95dlb8rfe86/kafaxijuduzorakijisara.pdfIn PDF document text
- https://heykidsletscook.info/wp-content/plugins/super-forms/uploads/php/files/eb384247e4becdc88bf195cdf1772216/4257152821.pdfIn PDF document text
- https://engineeredrepinc.com/wp-content/plugins/super-forms/uploads/php/files/1816d5c500ad73a11fd46b9219b0a992/98290951035.pdfIn PDF document text
- https://terravistahometeam.com/wp-content/plugins/super-forms/uploads/php/files/c817e10832209956a126bbdd82176d59/vujidifuzasu.pdfIn PDF document text
- https://www.financedeclined.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1609c0ff3d12e7---zelutomufajowejigutimuw.pdfIn PDF document text
- http://doublehappyvstheinfinitesadness.com/wp-content/plugins/formcraft/file-upload/server/content/files/16082fbd67e6d6---60079314453.pdfIn PDF document text
- http://chocolatycakes.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606c8d099f355---pazotigipavodedidekusoda.pdfIn PDF document text
- https://bangprice.combangprice.com/beta/cms_image/file/81464896857.pdfIn PDF document text
- https://www.spreefahrten-berlin.de/wp-content/plugins/super-forms/uploads/php/files/pn3h5vspqsj4kvqp6dbsor7eci/59802838326.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ebff.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEBFF | 10592 bytes |
SHA-256: ad40ce94516bfb15a6942365d733d9bc9902156f0f60ed142a548b94bf0ac748 |
|||
font_01_sfnt_off0001042c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1042C | 16792 bytes |
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
|||
font_02_sfnt_off00011c3e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11C3E | 16644 bytes |
SHA-256: fd3837e2a302773769fc12c0cc78ffdde20e03d65a0e7a0c09f8eff9218f677d |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.