MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a link farm pointing to numerous other PDFs hosted on compromised WordPress sites, indicating a phishing or malware distribution attempt. ClamAV and ML classifiers flagged this file as malicious, specifically as a phishing trojan. The embedded URLs are likely part of a campaign to lure victims to malicious content.
Machine Learning
- Nyx PDF Classifier malicious score 0.9982
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://baharemadinah.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607807e9815f0---31073597964.pdf
- http://graylegalservices.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/60619177091.pdf
- http://www.reenactmentmarket.eu/images/wyswig_images/file/48682393386.pdf
- https://sketchup360.vn/wp-content/plugins/super-forms/uploads/php/files/b3creldo32o3lk7m0hck9ktdfe/52878372473.pdf
- http://thehigh86.com/clients/13680/File/79350214941.pdf
- http://jpbullies.com/clients/2/2c/2c827f09d77a589c2c5c7da8c033a3f4/File/mofudakulovugijuverozada.pdf
- https://shinyjewellers.com/wp-content/plugins/super-forms/uploads/php/files/bf1boeq82idopd9bsq8btg5p11/79439841883.pdf
- https://mymango.ru/wp-content/plugins/super-forms/uploads/php/files/9f1ae3f5cac2f233dbf7b3fd3f744753/24799126841.pdf
- https://actorconseil.com/files/file/43103568252.pdf
- http://kino-profi.com/wp-content/plugins/super-forms/uploads/php/files/8b4954328b7f47c3a5a79d4bf6a26205/dajodijazilosa.pdf
- http://gongotour.com/FileData/ckfinder/files/20210619_91599F52833A2AB7.pdf
- http://sb-78.ru/files/file/24826925913.pdf
- http://classicalgardenstatues.com/uplds/file/74797191544.pdf
- http://grani-tonkogo-mira.ru/wp-content/plugins/super-forms/uploads/php/files/e6da4204cf7fddf0499689d57d808dc2/vorakigi.pdf
- https://vizzzio.ru/wp-content/plugins/super-forms/uploads/php/files/2c21b5a643404f3538f0b9ee7467f0a7/23396593380.pdf
- http://armanetti.com/images/59881935537.pdf
- http://lalitas-thaimassage-spa.de/wp-content/plugins/formcraft/file-upload/server/content/files/160e4a26d7c65c---16465971454.pdf
- http://www.vitrierbxl.be/wp-content/plugins/formcraft/file-upload/server/content/files/160af0d6cd7202---87531437095.pdf
- http://csss77.com/clients/d/df/df7f2fdc42e243c7a03c192a8228c0be/File/wubaxoregija.pdf
- http://mouaumfb.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608499e8e8b85---dedigexokadamorunefam.pdf
- http://www.airportlimofortlauderdale.net/wp-content/plugins/formcraft/file-upload/server/content/files/160aef0168e11b---76828175305.pdf
- https://bodwellassociates.com/wp-content/plugins/super-forms/uploads/php/files/aed0bb5f17aa664d6c501ce2d5055e9c/besubupoduz.pdf
- http://adance0112.com/upfile/editor/file/sikuwesupevu.pdf
- http://fashioneducation.ru/userfiles/file/buvedulixim.pdf
- https://feedproxy.google.com/~r/Uplcv/~3/zMnd8XtcwSM/uplcv?utm_term=mobile+suit+gundam+extreme+vs.+maxiboost+on+ps4
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000eb9f.bin0e51201dafdd2ade94f7900c55b08b62a9cf16c497e2504fcd59e15978d568cf |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEB9F | 17576 bytes |
font_01_sfnt_off0001171e.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1171E | 16792 bytes |
font_02_sfnt_off00012f35.bin56f190db181cfb3ec202f9d1a2b62d3c28a76673c748e988828f274e16182f08 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12F35 | 11280 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.