MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous embedded links, many of which point to compromised WordPress upload directories and other potentially untrusted domains, suggesting a phishing or malware distribution scheme. The presence of external URIs and link farms further supports this assessment.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINKPDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://totaldeliverancecathedralchurch.com/clients/2/22/22dae496a1749ae881e6bee195142b05/File/84743206907.pdf
- http://a-swiss.com/upload/userfiles/file/99805736087.pdf
- http://giustizianuova.it/userfiles/file/28936106895.pdf
- http://ilovegabal.net/fckeditor/_upload/file/87396272014.pdf
- https://www.ikedatosou.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c2aac73b245---57377827882.pdf
- http://domesticsolutionsagency.com/userfiles/file/95226715841.pdf
- http://softwarefactory.nl/images/file/34393995145.pdf
- https://adm.allianceflooring.net/wp-content/plugins/super-forms/uploads/php/files/1126e8d54cde3e8811d0dd174cf7be93/55009496614.pdf
- http://www.kreasoft.mx/wp-content/plugins/formcraft/file-upload/server/content/files/160869594bd0e2---jixewurotudojedepez.pdf
- http://www.sunargrup.com.tr/wp-content/plugins/super-forms/uploads/php/files/1460138p85kcis6dauko720320/49267232435.pdf
- https://hagepoorter.be/files/files/wojonetufusi.pdf
- http://alnoorcity.com/userfiles/file/wanafezuwadigixujituwi.pdf
- https://atamergranit.com/userfiles/file/vorazalivigaxezuvamovixi.pdf
- http://bettaletroom.com/file_media/file_image/file/75212624344.pdf
- http://magyaringatlanadatbazis.hu/dev/_user/file/wafor.pdf
- http://www.kreasoft.mx/wp-content/plugins/formcraft/file-upload/server/content/files/16086b79a4fb26---fuwesuwivos.pdf
- https://www.baileysmilk.com/wp-content/plugins/super-forms/uploads/php/files/559f744416c92e382634053e431f93cd/2896771294.pdf
- https://www.pferde-fuer-unsere-kinder.de/wp-content/plugins/formcraft/file-upload/server/content/files/1607bd358a8280---30353476684.pdf
- http://www.yourhealthyourchoice.org/wp-content/plugins/formcraft/file-upload/server/content/files/16086f0d638bec---garefunuvowus.pdf
- https://www.gs-gleichmann.de/wp-content/plugins/formcraft/file-upload/server/content/files/160ba352a152ed---zaxevepufen.pdf
- http://agcslohian.com/userfiles/file/30555280565.pdf
- https://feedproxy.google.com/~r/skout/mBVl/~3/3vuEKuznOb8/uplcv?utm_term=how+to+create+dark+brown+color
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e830.bin7493f039e9c4825e8104a94ba3c8353cc355db1771247a0f4e800d1d2636f2ac |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE830 | 10412 bytes |
font_01_sfnt_off0000ffe7.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFFE7 | 16792 bytes |
font_02_sfnt_off000117f9.binbf4a11ad7a11089a16ceeb852ff39f1d611b642d00c0e8428fb3d8dd521a542b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x117F9 | 16208 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.