MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF contains embedded JavaScript and multiple links pointing to external resources, many of which are hosted on compromised WordPress sites or disposable domains. The heuristic 'PDF_RANDOM_URL_LINK' specifically highlights a link to 'http://totaldeliverancecathedralchurch.com/clients/2/22/22dae496a1749ae881e6bee195142b05/File/65236473399.pdf', suggesting a phishing or malware distribution attempt. The ML classifier and ClamAV detection further support the malicious nature of the file.
Machine Learning
- Nyx PDF Classifier malicious score 0.7511
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINKPDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://www.kindspring.org/inc/ckfinder/userfiles/files/89717878720.pdf In PDF document text
- http://www.petersmetalstitching.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/160ab5ae371de4---74557080889.pdfIn PDF document text
- https://www.sidertest.it/wp-content/plugins/formcraft/file-upload/server/content/files/160be4a05a4e5a---tinojugelatovugitu.pdfIn PDF document text
- http://crystalnymph.by/wp-content/plugins/super-forms/uploads/php/files/b74685c5993a444ffd9bd1d9b2641193/26109580846.pdfIn PDF document text
- http://xn--365-pn7mwb654m2qn.com/ckupload/files/silepoxixexa.pdfIn PDF document text
- https://unserbiokorb.ch/userfiles/file/zujole.pdfIn PDF document text
- https://www.lumisolar.pe/wp-content/plugins/formcraft/file-upload/server/content/files/160afd38f21239---laxovugoxikipelinusumam.pdfIn PDF document text
- https://dunaweb.co/bg_image/files/92698496263.pdfIn PDF document text
- http://kaufdeinauto.de/wp-content/plugins/formcraft/file-upload/server/content/files/1607970cf46277---werisosemomaroketerekad.pdfIn PDF document text
- http://sourceit.ke/FCKeditor/editor/filemanager/connectors/php/connector.php?Command=FileUpload&Type=File&CurrentFolder=%2Ffile/85610718784.pdfIn PDF document text
- http://studioego.cz/userfiles/file/jilugazifet.pdfIn PDF document text
- https://www.grandeprairie.org/wp-content/plugins/formcraft/file-upload/server/content/files/16081131688866---gexarupe.pdfIn PDF document text
- https://www.costaverde.it/wp-content/plugins/formcraft/file-upload/server/content/files/160da7ce9793db---69219763635.pdfIn PDF document text
- http://bizwd.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a15fdb105ac---40796113389.pdfIn PDF document text
- http://www.stockholmswingallstars.com/wp-content/plugins/formcraft/file-upload/server/content/files/160726be8228a5---gozimisale.pdfIn PDF document text
- https://maspacientes.es/wp-content/plugins/super-forms/uploads/php/files/l4cthsljc968t8e7r1bi05p8uk/dadedulikogikalur.pdfIn PDF document text
- http://degrossier.nl/uploads/file/91903446965.pdfIn PDF document text
- https://birotex.rs/images/files/91424013048.pdfIn PDF document text
- https://hotelritariccione.it/wp-content/plugins/formcraft/file-upload/server/content/files/16073528453c0f---87051450695.pdfIn PDF document text
- https://uetty.xyz/js/ckfinder/userfiles/files/kogetini.pdfIn PDF document text
- http://alsumiri.net/wp-content/plugins/super-forms/uploads/php/files/af2109d1e4e7ee42dc536aa17ef60ec5/98729086542.pdfIn PDF document text
- http://totaldeliverancecathedralchurch.com/clients/2/22/22dae496a1749ae881e6bee195142b05/File/65236473399.pdfIn PDF document text
- https://ka-base.no/images_content/file/sapopesoxi.pdfIn PDF document text
- http://wannawwannie.pl/userfiles/file/jorogeradugo.pdfIn PDF document text
- https://feedproxy.google.com/~r/Uplcv/~3/A3Ryygt5BCM/uplcv?utm_term=from+this+to+this+grammarPDF link annotation
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ea4a.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEA4A | 10252 bytes |
SHA-256: c4ef13b671389c5d0535d7f6be40eb35d22bee031eae1a7d1f36fbb1edbcb018 |
|||
font_01_sfnt_off0001014e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1014E | 18276 bytes |
SHA-256: 374338235671d13f668524fd18cda2620eb068410a838eb3fe93ca5a10f41e74 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.