MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The PDF contains a link farm pointing to multiple compromised WordPress sites, indicating a likely attempt to redirect users to malicious content. The ML classifier strongly flagged this PDF as malicious. While no scripts were extracted, the structure and embedded URLs suggest a phishing or malware distribution lure.
Machine Learning
- Nyx PDF Classifier malicious score 0.9929
Heuristics 5
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://trackeg.com/en/wp-content/plugins/formcraft/file-upload/server/content/files/160903fb35b7e6---gukojoxitisi.pdf
- https://www.xcelsus.de/wp-content/plugins/formcraft/file-upload/server/content/files/160893372d957b---wamifosejol.pdf
- http://www.oschouston.com/osc/wp-content/plugins/formcraft/file-upload/server/content/files/1608f697f5cbbb---56276135965.pdf
- https://daluxerealty.com/wp-content/plugins/super-forms/uploads/php/files/jj6jiu9gh1i4fc5ctt1ef7gq01/zerulitegosudilusot.pdf
- https://www.kiteschule-kiel.de/wp-content/plugins/formcraft/file-upload/server/content/files/160ac508dc8d07---weveto.pdf
- http://dabaizhongxue.com/upload_fck/file/2021-6-8/20210608061853433020.pdf
- https://xn----8sbaavnccwq4am.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/dab6c8e258f9e0d74bc9b85fe17a076e/61725406605.pdf
- http://blog.crowdly.com/wp-content/plugins/formcraft/file-upload/server/content/files/160962bd17e998---mubuzilozegix.pdf
- http://www.expertnutritionadvisor.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c12aef7b5f3---9992618507.pdf
- http://brmhn.com/userfiles/file/20210602053804_cd7ahk.pdf
- http://slowjamsundays.com/wp-content/plugins/formcraft/file-upload/server/content/files/16073fe731c30c---86974138079.pdf
- https://hacunamatata.ru/wp-content/plugins/super-forms/uploads/php/files/b5dc88e35dab732271e3f05214a2f4f5/zibinepojopik.pdf
- https://vashadvokat82.ru/wp-content/plugins/super-forms/uploads/php/files/06f0e56139c48f1c399aab000a1bd91b/72369010017.pdf
- http://peaceinsrilanka.lk/userfiles/file/xizipujesubiwifajesi.pdf
- http://robalton.es/Albums/images/file///10457739198.pdf
- https://useoneconvo.com/wp-content/plugins/super-forms/uploads/php/files/117b5c8b5a6b61f4177a53cb0ab9ed0d/84815331286.pdf
- http://www.allatpatikapecs.hu/images/file/gamutibaxojatanaliliz.pdf
- https://fitnessrev.net/wp-content/plugins/super-forms/uploads/php/files/r5ndah9l41ul8eao0cnrtnhkvl/putuvuzekunolajulosopi.pdf
- http://lookupagency.es/wp-content/plugins/formcraft/file-upload/server/content/files/1608a989ce2abf---74383002024.pdf
- http://mountmedpharmacy.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/1606c91425c5e1---23465288907.pdf
- http://mtsskzy.com/userfiles/file/63623901127.pdf
- http://gospel-pour-100-voix.com/fichiers/newsletter/file/85878414838.pdf
- http://rajskiewakacje.pl/userfiles/file/tebesafugalu.pdf
- https://ngoctraithaibinhduong.com/uploads/news_file/nabatofapikonerodawifa.pdf
- http://drkoopman.nl/cmsimages/file/8887282861.pdf
- https://feedproxy.google.com/~r/skout/mBVl/~3/zMnd8XtcwSM/uplcv?utm_term=1000+amazing+facts
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00010a19.bin05e2bf1fe3af85655297fc80814c64d8f75129f99abae6afee4d5fd64c188490 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10A19 | 10420 bytes |
font_01_sfnt_off000121c5.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x121C5 | 16792 bytes |
font_02_sfnt_off000139d7.bin90ff7d4fe3a61d9f5946b8caafa2fe6826a63b674ec9381fd00b603e29a573df |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x139D7 | 18040 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.