MALICIOUS
146
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.001 User Execution: Malicious Link
The PDF file contains numerous embedded URLs that point to various domains, many of which appear to be compromised WordPress sites or disposable hosting. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' indicates a pattern of using numerous links on different hosts, often with UTM parameters, which is a common tactic for phishing or distributing further malware. ClamAV also detected this file as 'Pdf.Phishing.Trojan'.
Machine Learning
- Nyx PDF Classifier suspicious score 0.4799
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Clickable URI points to raw IP address medium PDF_URI_IP_LITERALPDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILEDThe cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://chcial.ru/uplcv?utm_term=higher+secondary+zoology+lab+manual
- https://nnkcreations.com/userfiles/file/fumefitebubutikaludi.pdf
- http://andrelandberg.com/userfiles/file/49947609285.pdf
- https://bio86.net/fichiers/71410221499.pdf
- http://activesolutionelectric.com/images/file/nixaduzo.pdf
- https://luminex.pl/upload/file/tutaxiwojabekafazexe.pdf
- http://adaviestransportltd.com/userfiles/file/lewusokoroladaperedefibif.pdf
- http://xn--pr3b03lcdvwu9dpynqkc.com/DATA/file/20210626135424.pdf
- https://afd.me.uk/wp-content/plugins/super-forms/uploads/php/files/7j5h8v0dga09f668g26spn2rd5/32531371479.pdf
- https://shiokerbau1.com/contents//files/97084900245.pdf
- http://hongshengfish.com/uploadfiles/2021061714450395342.pdf
- http://www.tsssport.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607dfa8b332e6---zajaru.pdf
- https://anzmrrn.org/wp-content/plugins/formcraft/file-upload/server/content/files/160accd45c8601---81821108996.pdf
- http://www.mediacomriccione.it/wp-content/plugins/formcraft/file-upload/server/content/files/160b2155bed2d9---bigikigavo.pdf
- http://aliancegroup.su/wp-content/plugins/formcraft/file-upload/server/content/files/16086d69679ed0---45111840809.pdf
- https://vate-tire.ru/wp-content/plugins/super-forms/uploads/php/files/418164e23ac20209e2dbd2610773e8ba/vogik.pdf
- http://anhbanglaw.com/userfiles/file/sugijigixironuvajobenefax.pdf
- http://mdbim.pl/ubezpiecz/obrazy/file/gixukar.pdf
- https://carstenrath.com/wp-content/plugins/super-forms/uploads/php/files/720j4ge11qh402jvn628pb9l86/lapukuvog.pdf
- http://79.170.40.182/boothtastic.com/wp-content/plugins/formcraft/file-upload/server/content/files/160786d1e70596---jaxibudevi.pdf
- https://singaporeroadshow.com/wp-content/plugins/super-forms/uploads/php/files/1ef1331bf0fc9aa5103b1c9c412eb338/73708438468.pdf
- http://exactblue.com/wp-content/plugins/formcraft/file-upload/server/content/files/160786e396185b---35023583251.pdf
- http://lagostena.it/userfiles/files/toxifapopileramasuteb.pdf
- https://ilc.ua/wp-content/plugins/super-forms/uploads/php/files/sglpdnsacjdko3dcq4d777l1k0/82166250203.pdf
- https://pavaniautismschools.com/wp-content/plugins/super-forms/uploads/php/files/uqba44n0oeom5r5mvm29pgtp7j/5537134856.pdf
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0002177c.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2177C | 16792 bytes |
font_01_sfnt_off00022f93.bind9d9389b244f0c4da262f9e55e4d18813eac6b125b0dc793b0e64f6bafc9e0fb |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x22F93 | 11124 bytes |
font_02_sfnt_off00024914.bin76a8e91dff72d523a039b2a4922f565968fb42d91caa32a19c059a3a1e0ef615 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x24914 | 17876 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.