MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file contains a link farm pointing to numerous compromised WordPress sites and disposable hosting, indicating a phishing or malware distribution attempt. The ML classifier and ClamAV detection strongly suggest malicious intent. The document body is heavily obfuscated and unreadable, providing no direct user-facing lure.
Machine Learning
- Nyx PDF Classifier malicious score 0.9968
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://awlights.com/wp-content/plugins/super-forms/uploads/php/files/5ea637488047955e16fe9bc1e406ad3a/58479590763.pdf
- http://growlink.biz/userfiles/file/fajakip.pdf
- http://ruishikaishi.com/upload/content/files/2021/06/20210620225157.pdf
- http://clearlakesd.org/wp-content/plugins/formcraft/file-upload/server/content/files/160c8544c05eec---bakuzaxavakowe.pdf
- http://chunmianxian.com/upfolder/e/files/20210624172946.pdf
- http://moje-stranky.eu/userfiles/file/dimidapixiduxijutikem.pdf
- http://wchs67.com/clients/f/fd/fd50fd9748f3592dabdfdad26f378f15/File/31435919956.pdf
- https://elitteaccesorios.com/wp-content/plugins/super-forms/uploads/php/files/vq7hlpg9k700m14iulp3h40c23/28465588247.pdf
- http://theopenhouseclub.com/wp-content/plugins/super-forms/uploads/php/files/5721914266d1380ff9e3e0e9812de41a/78930769360.pdf
- https://agermag.ro/mm/file/sevakemoki.pdf
- http://actionelectric.pt/www/wp-content/plugins/formcraft/file-upload/server/content/files/1606f2f4080b33---gubunoropel.pdf
- https://www.hit-education.com/wp-content/plugins/super-forms/uploads/php/files/t0sobtorn2o8i1fdl681j1pqqh/zafireluwubawibuzemuxi.pdf
- https://petroblend.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a0f0ebc8204---bavozofuka.pdf
- https://bikinibody.be/wp-content/plugins/super-forms/uploads/php/files/1p7cj63asd73i614vrvl864n9e/42564840211.pdf
- https://www.apartamentselsllacs.com/wp-content/plugins/super-forms/uploads/php/files/r4721ebjue1pg1qos4pmv3l85l/84388863729.pdf
- http://chicagohalo.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c8c513d9626---zufitukodonizuxuwogub.pdf
- https://dfa-finanz.de/wp-content/plugins/formcraft/file-upload/server/content/files/16077d6a3c136e---4648116232.pdf
- https://aslimitada.com/userfiles/file/gofotabuwapopuwaragoxe.pdf
- http://zigzagontwerp.nl/sites/default/files/file/ketinesobasirusirabowomef.pdf
- http://denki-shonan.com/uploadsfile/38743023350.pdf
- https://www.perfumista.co.uk/wp-content/plugins/super-forms/uploads/php/files/66bcd81298e13f327ec7988387bcbdb2/riwita.pdf
- http://bjoybrands.com/wp-content/plugins/formcraft/file-upload/server/content/files/16096765756bbd---xerolumovozetagux.pdf
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/zMnd8XtcwSM/uplcv?utm_term=law+of+sine+and+cosine+word+problems
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000d4c3.bin366bd89ad47ebc808ba35cbaed695d9efe1ecd3710eeaed4ab339bc84a62aa37 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD4C3 | 17188 bytes |
font_01_sfnt_off000101ab.bin1e478f22fd69fea5c6a51683f7a2ad2376292622dbbad83a9a3a58a9c68c5d2c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x101AB | 10868 bytes |
font_02_sfnt_off00011a8b.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11A8B | 16792 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.