MALICIOUS
204
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
This PDF document was flagged as malicious by ClamAV and an ML classifier. It uses a password-protected-archive lure. The file embeds a large number of external links characteristic of an SEO link farm, many hosted on compromised CMS upload directories and presents a deceptive download button. Specific URLs and indicators for this sample are listed in the indicators section.
Machine Learning
- Nyx PDF Classifier malicious score 0.9971
Heuristics 8
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://crewmak.ru/uplcv?utm_term=tenkaichi+tag+team+mod+iso PDF link annotation
- http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/160cca79b1c50c---21393686590.pdfIn PDF document text
- http://pocatellocampfire.com/wp-content/plugins/super-forms/uploads/php/files/gapti4uhh5cbg4nscuikbgfg0l/kiwonojajixuwabinizijan.pdfIn PDF document text
- https://xn--faade-mtal-p6a3a.ch/ckfinder/userfiles/files/56731355484.pdfIn PDF document text
- https://ag-concept.ru/wp-content/plugins/super-forms/uploads/php/files/5cae7842e9067ff4d862e8344b8594f1/33958715339.pdfIn PDF document text
- http://greatnice.club/updatefiles/file/42395070640.pdfIn PDF document text
- http://makaifruits.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b4637faea6d---bozutipo.pdfIn PDF document text
- http://szentimresiklos.hu/upload/file/56515996771.pdfIn PDF document text
- http://eviljoy.com/UserFiles/File/rulonalabupawufilawaj.pdfIn PDF document text
- http://www.driftime.ee/wp-content/plugins/formcraft/file-upload/server/content/files/160705f2ed4040---32932171949.pdfIn PDF document text
- http://www.neoneophytou.com/ckfinder/userfiles/files/11743942224.pdfIn PDF document text
- https://ahi.com.ua/wp-content/plugins/super-forms/uploads/php/files/22e86c49bf5c6e3b555d297e537d9661/kogabafavomadikogud.pdfIn PDF document text
- https://www.hontoys.com.au/wp-content/plugins/super-forms/uploads/php/files/7g2qsscvicu9im1k3n93l2gdbi/manenemijidixavefiwune.pdfIn PDF document text
- http://accessprecision.com/userfiles/file/vapovirowaganerufiko.pdfIn PDF document text
- https://turismoporsantander.com/aym_image/files/fopesuwafedoxodefifebo.pdfIn PDF document text
- http://sehs67.com/clients/e/e0/e078d4d0076166a7bb489ca3b3a583ab/File/jiwaxofiwiwuz.pdfIn PDF document text
- http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a34a0187586---logomijiroluwutukow.pdfIn PDF document text
- https://sarujiovalente.com/wp-content/plugins/super-forms/uploads/php/files/mnch55dmpmep0gp3ipscsibn6j/7365692551.pdfIn PDF document text
- https://wpsqld.com.au/wp-content/plugins/super-forms/uploads/php/files/0742adaa6e773239db4ae5bdb93743ba/25566750237.pdfIn PDF document text
- http://gingerwooddesign.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bdefaf4c38a---96328586431.pdfIn PDF document text
- http://www.sunarpazarlama.com/wp-content/plugins/super-forms/uploads/php/files/i0b241jihf0cmesdgkabtie6k3/27172488492.pdfIn PDF document text
- https://zweefvlieg.net/userfiles/file/tinedutumoku.pdfIn PDF document text
- https://www.propertyfilevault.com/wp-content/plugins/super-forms/uploads/php/files/0fc1fb13b68374d8a94e1e943d47b131/23492332526.pdfIn PDF document text
- https://kingcarmotorista.net/uploads/files/gijowebepexafetala.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0001226c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1226C | 16792 bytes |
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
|||
font_01_sfnt_off00013a83.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x13A83 | 10728 bytes |
SHA-256: 62e1d9d10a29ae5bd81ceba5252fcf4e7af47c4ae34c4ebdbc42f120d6ade581 |
|||
font_02_sfnt_off000152d1.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x152D1 | 17364 bytes |
SHA-256: e736c932f208d6270b02a0c21f044242012909beff1b6ca479d5181bca84dd50 |
|||
font_03_sfnt_off00018068.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x18068 | 16140 bytes |
SHA-256: 00b1f632e8afe72716c8bcdb76b7901b56c060d1dc0f96f3f5c1b8373b85735b |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.