MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The PDF file contains a large number of links, many of which point to external websites hosted on compromised CMS platforms or disposable domains. This behavior is indicative of a link farm used for phishing or distributing further malware. The ML classifier and ClamAV detection strongly suggest malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 0.9946
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://sapaethnic.com/webroot/img/files/jaxejalixuxuxe.pdf
- http://nitexprofi.cz/userfiles/file/nifuzatuvupilafawevefis.pdf
- https://www.focus.mu/wp-content/plugins/super-forms/uploads/php/files/f0dbaa89a12d96ef37c1abeadbd8ebbf/5697950945.pdf
- http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607b68e5d8130---nowifitoxewatunobisaraluv.pdf
- https://dacoma.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160804694d6ad1---dogitokojeme.pdf
- http://qtjdb.com/UploadFile/2021/06/01/file/20210601_041931_160.pdf
- http://www.immiflex.com/wp-content/plugins/formcraft/file-upload/server/content/files/16091177796d5a---7547698376.pdf
- http://mfplus.ba/wp-content/plugins/formcraft/file-upload/server/content/files/1606d5a371e262---88742276722.pdf
- http://deauville.ru/files/file/71347173151.pdf
- https://fastcomputer.vn/wp-content/plugins/super-forms/uploads/php/files/e881ab9a0f858334a30b7f0bbdc806f9/80868440657.pdf
- https://marosme.ro/hirek/file/19187529658.pdf
- https://acryl-bg.com/userfiles/file/ratotejiwelizodepawufirag.pdf
- https://nscs.org/wp-content/plugins/super-forms/uploads/php/files/f1cf5a8b337c02cd4617171fc90bc9b9/padewexanutemub.pdf
- https://ckmandarin.com/uploads/jimuxowimug.pdf
- http://recamonde.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160e038bf2e96a---5015950030.pdf
- http://longarmacademy.net/fckeditor/userfiles/file/14026243844.pdf
- https://skyfireconsulting.com/wp-content/plugins/super-forms/uploads/php/files/q5t3oekkt513fnt9v9pc0db1nd/nagolikijogum.pdf
- http://droprint.my/home/ququ4923/public_html/userfiles/file/gadibagewajazugowajuf.pdf
- http://score1forspencer.com/clients/4/45/4587145e2679cb7673d0e21b436e5c25/File/71162083584.pdf
- https://gulertrafik.com/wp-content/plugins/super-forms/uploads/php/files/u84q4derh18dve6oc5f8rkvmai/33107707228.pdf
- http://adance0112.com/upfile/editor/file/51929532194.pdf
- http://nicenpos.com/userData/board/file/52143137335.pdf
- http://www.linkkorea.co.kr/wp-content/plugins/formcraft/file-upload/server/content/files/160be3f3562f4a---tinepe.pdf
- https://alakharia.com/public_html/userfiles/file/jelivojiwibaja.pdf
- http://haiphongcontest.com/images/files/96601965902.pdf
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/LPIa9PGmDLg/uplcv?utm_term=emmy+nominated+shows+2020
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00015891.binb954ee67679f0421c288b133c6046c17b75de6549dcb97a1e63f782b7305f509 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x15891 | 10792 bytes |
font_01_sfnt_off00017158.bin0413e56931099fd8d6939804662f9697e4b9922435ef3151552e33e0d45d279f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x17158 | 17812 bytes |
font_02_sfnt_off0001a086.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1A086 | 16792 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.