MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
T1059.007 JavaScript
This PDF is identified as a malicious phishing trojan by ClamAV and a machine learning classifier. It functions as a link farm, directing users to compromised WordPress upload storage, likely to facilitate an advance-fee scam by luring them with fake download links. The document body, though heavily obfuscated, contains references to movie downloads and potentially lottery or prize information, consistent with advance-fee fraud schemes.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LUREDocument contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://caacoding.net/wp-content/plugins/formcraft/file-upload/server/content/files/16091627b4ba23---tilovuxojilulikoniwekina.pdf
- http://kindervakantieweekdeurne.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160ae25e9ebba8---petanapowi.pdf
- http://tillmanfamilyreunion.com/clients/b/b7/b7385abc5988d1ee605fea7695e3d00e/File/sopokubire.pdf
- http://bonsaichik.ru/images_uploads/files/42550334633.pdf
- http://profisystem.ro/wp-content/plugins/formcraft/file-upload/server/content/files/1609cfb4bdbc90---96901601698.pdf
- http://gongotour.com/FileData/ckfinder/files/20210601_A40FAE069772FDFB.pdf
- http://dossalas.com/wp-content/plugins/super-forms/uploads/php/files/cdd3fefc16f8b672737b0682729bf6f1/rowajo.pdf
- https://houstoncoinshow.org/FCKeditor/file/rarikigapumagitevazakujav.pdf
- http://bettynblue.com/upload/fck_img/20210510/file/benobefewijezuwog.pdf
- http://johndanton.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/godanetalokija.pdf
- http://perfectthesale.com/wp-content/plugins/formcraft/file-upload/server/content/files/16093ce289601a---paditiborebo.pdf
- http://www.sunarsurdurulebilir.com/wp-content/plugins/super-forms/uploads/php/files/u1lfcg92glaj1md16b0v1ulge0/buzezavifozapubetix.pdf
- http://allaboutdowney.com/userimages/25299251507.pdf
- http://niszczeniewaw.pl/userfiles/file/15664236617.pdf
- https://heykidsletscook.info/wp-content/plugins/super-forms/uploads/php/files/fb4016f63fb5daaba776898bd0504fc3/xakugo.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://fedorahosted.org/lohit
- https://feedproxy.google.com/~r/skout/mBVl/~3/3CAf4wW3hvY/uplcv?utm_term=majili+movie+download+jio+rockers
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
- http://scripts.sil.org/OFL
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_004_off0001289c.bin49b19c5a1b44d6c38103980c269d6a3cc8bfbc0b40d45ae17be31b77b9d7fba7 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x1289C | 19640 bytes |
font_00_sfnt_off0000eeff.bin75b3cbb8e3b01a4d317491072f5dd895f942fabba4c972e0fd148b93221f76a3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEEFF | 5380 bytes |
font_01_sfnt_off0001015c.bin030550bbd2e0e338bd8a424561cd37cb1202461b12cdeb54aa08a91197992c6f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1015C | 11628 bytes |
font_03_sfnt_off00014952.bin094b45589d2d08819f64a84cef27e64a4345a45ef6646926ece81f7e5b36b979 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x14952 | 4332 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.