MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file is identified as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains numerous URLs pointing to compromised WordPress sites and disposable hosting, suggesting it functions as a link farm to redirect users to malicious content. The PDF's structure and embedded URIs strongly suggest it's used in phishing campaigns or to distribute further malware.
Machine Learning
- Nyx PDF Classifier malicious score 0.9956
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://oniceh.ru/uplcv?utm_term=red+wine+stain+on+linen
- http://irmascaritasdejesus.org.br/wp-content/plugins/formcraft/file-upload/server/content/files/1606cadc12c82e---xopifevujefiziga.pdf
- http://ilyxrace.com/userfiles/files/34603422774.pdf
- https://bevelec.com/bevelec/dossierMois/file/51594968548.pdf
- https://bikeid.net/ckfinder/userfiles/files/23705973327.pdf
- https://www.rowtheerne.com/wp-content/plugins/super-forms/uploads/php/files/5ada0eee6ce4320d55841a0d3b223aab/fazesaxifotibezudunix.pdf
- https://givemeit.ru/wp-content/plugins/super-forms/uploads/php/files/6220687bbc74e6edd65d0f635e9a6e4b/63106880893.pdf
- https://fnb-concepts.com/images/uploads/files/jokawinazomoxopinojo.pdf
- http://nowyhotelik.pl/userfiles/file/36571778512.pdf
- https://agribusiness.pk/wp-content/plugins/formcraft/file-upload/server/content/files/16070ed28aee52---tegumamatoxati.pdf
- http://npxbyy.com/wang3_3_10_27/Upload/Upload/file/2021621142755511.pdf
- https://buddingheights.org/wp-content/plugins/formcraft/file-upload/server/content/files/160ae978a1160b---wojixumunaxerij.pdf
- http://www.sunarmisir.com.tr/wp-content/plugins/super-forms/uploads/php/files/l9bsnrk92uf5ita2vohk9ev4o4/98357624345.pdf
- https://castel.ro/userfiles/file/51011836836.pdf
- http://www.centralperdana.com/file/zifatugusowukolamu.pdf
- https://mudateconmigo.cl/wp-content/plugins/super-forms/uploads/php/files/62252b4b702edea807efcaf2301fa242/jizovasuluxexisevegifezef.pdf
- http://smithmurdock.com/wp-content/plugins/formcraft/file-upload/server/content/files/160724617a0efe---45946877048.pdf
- https://behagi.eus/files/galeria/files/72623674478.pdf
- https://gulertrafik.com/wp-content/plugins/super-forms/uploads/php/files/0auu24ej10h8m1a80f5s4ooa6g/10465152959.pdf
- https://betenagro.com/sites/default/files/file/teveneguxalo.pdf
- https://www.criteriainvest.com.br/wp-content/plugins/super-forms/uploads/php/files/h469cqs4svunm9pvr9ov9qufnv/bosuxisisidewugevodoko.pdf
- http://agendatourvietnam.com/hinhanh/file/kadonutulemawidonubex.pdf
- http://parkwestresidences.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609c9b5400ec0---kexatogikonenilijunem.pdf
- https://kalatranslation.co.uk/wp-content/plugins/super-forms/uploads/php/files/uffb0n1n6j9qk0tljino0s6je8/dirarivenofiwavob.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ece7.bind151979101d3c2271cb87ea7089928f9057897a13c685cdf4abba1d48987567e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xECE7 | 17028 bytes |
font_01_sfnt_off00011951.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11951 | 16792 bytes |
font_02_sfnt_off00013168.bin86c2f2cd68c724ea6bdcce4b79b2c79d69bee52d74256ec91b9c54d1ffd0cb18 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x13168 | 10272 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.