MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document contains numerous embedded URLs, many of which point to compromised WordPress sites. The heuristic PDF_SEO_DISPOSABLE_LINK_FARM indicates a link farm strategy, likely intended to drive traffic to malicious or phishing sites. The ML classifier and ClamAV detection strongly suggest malicious intent, classifying it as a phishing trojan.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://drafthe.ru/uplcv?utm_term=how+to+connect+samsung+wireless+subwoofer+without+soundbar PDF link annotation
- http://dansensvenner.dk/imagesfile/%5C/bebulujedubumuke.pdfIn PDF document text
- https://senzedigicraft.com/wp-content/plugins/super-forms/uploads/php/files/23f5b9ba312d21e113c8124adc0906fd/sodubogoguvafode.pdfIn PDF document text
- https://backcountryplayground.com/wp-content/plugins/super-forms/uploads/php/files/e88bd526f6c0be87af9bab5afc454579/45073553230.pdfIn PDF document text
- http://birons.net/wp-content/plugins/super-forms/uploads/php/files/72593cb509cde13e4df76492d677633b/wugakum.pdfIn PDF document text
- https://vashadvokat82.ru/wp-content/plugins/super-forms/uploads/php/files/051723b91ce2ad5c7d0b6b1da628da8e/46503039176.pdfIn PDF document text
- http://bfr-bialapodlaska.pl/userfiles/file/31556416489.pdfIn PDF document text
- http://rocincorporated.com/domain.com/images/dynamic_pages/file/33502457750.pdfIn PDF document text
- http://hanasushimenifee.com/uploads/files/bavixexoxuvofitamor.pdfIn PDF document text
- http://rufullthrottle.com/wp-content/plugins/formcraft/file-upload/server/content/files/16078ab6594316---letidavowaseliloxopatul.pdfIn PDF document text
- https://profbuhotchet.ru/wp-content/plugins/super-forms/uploads/php/files/2a81f3f312cdc1b8da36bd81c7e4b56f/xaremiburimog.pdfIn PDF document text
- http://www.theflightfest.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a8542d96def---1542433520.pdfIn PDF document text
- http://computer-rudolstadt.de/upload/file/kefizev.pdfIn PDF document text
- http://pphu-joanna.pl/fckpliki/file/ripuv.pdfIn PDF document text
- http://neodentpetrosino.it/userfiles/files/dulekakudadamupuzarixe.pdfIn PDF document text
- https://www.verpoort-bouw.be/wp-content/plugins/formcraft/file-upload/server/content/files/160ad9dd68a050---46691599524.pdfIn PDF document text
- http://www.skup.it/wp-content/plugins/formcraft/file-upload/server/content/files/1609498aadd53f---54076478543.pdfIn PDF document text
- https://robinio.de/wp-content/plugins/super-forms/uploads/php/files/q56v6nv94p4j9q8ti4q3hhl6i3/nijimezupigefetuginobavel.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e0f1.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE0F1 | 4788 bytes |
SHA-256: 5594f0312c46166f9947cf6eb4d68dbebb79b07a6003ebb43456cadeeb59ee17 |
|||
font_01_sfnt_off0000f1ca.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF1CA | 5628 bytes |
SHA-256: 2feecac671b3f64bf8f0b8cbd25cfa35ec429ba3a2ecf6c38547a87894f79bd3 |
|||
font_02_sfnt_off000104d0.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x104D0 | 10728 bytes |
SHA-256: d7b6c1d37ab73d75c1350811d82314ffa80ca81e406de030dbcc245cfaa022ac |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.