MALICIOUS
164
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The PDF contains numerous links, many pointing to compromised WordPress sites and disposable hosting, indicating a link farm designed to distribute malicious content or phish users. ClamAV detection and ML classification strongly suggest malicious intent. The presence of a download button lure further supports a malicious workflow.
Machine Learning
- Nyx PDF Classifier malicious score 0.9951
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://xycrusher.com/d/files/10607409817.pdf In PDF document text
- http://richmore.kr/uploadfile/fckeditor/file/bakukizegituwu.pdfIn PDF document text
- http://www.mtpartnersfl.com/wp-content/plugins/formcraft/file-upload/server/content/files/160f02004bfccd---wetowetowejapuviwele.pdfIn PDF document text
- http://qhs1978.com/clients/d/dd/dd8db5a278a7ad55a2ada34b8e38ebcc/File/78960150243.pdfIn PDF document text
- https://uleshuzatabc.hu/files/file/fabivukixa.pdfIn PDF document text
- http://sazjah.com/wp-content/plugins/formcraft/file-upload/server/content/files/160776602b6a9d---91219760626.pdfIn PDF document text
- https://solucionaesp.com/ckfinder/userfiles/files/goxopol.pdfIn PDF document text
- https://www.birdandwildlifeteam.com/wp-content/plugins/formcraft/file-upload/server/content/files/16081be2e5aa08---74473281398.pdfIn PDF document text
- https://hoongnau.com/upload/files/38854713127.pdfIn PDF document text
- http://klingende-zeder.de/wp-content/plugins/formcraft/file-upload/server/content/files/1608c283039e3c---firajiponajuxebevujadedub.pdfIn PDF document text
- https://solener.info/ckfinder/userfiles/files/86206966381.pdfIn PDF document text
- http://stallingreunion.com/clients/a/a3/a37dbb3dca22f8cb40f44de83fe48269/File/nerafotaxufodulaxovekumo.pdfIn PDF document text
- http://veterky.ru/ckfinder/userfiles/files/46624878471.pdfIn PDF document text
- https://www.idahomedia.com/wp-content/plugins/super-forms/uploads/php/files/0375f9f578861b132efb18b5ea375bfa/86983372969.pdfIn PDF document text
- https://budapestpainter.hu/ckfinder/userfiles/files/40081982213.pdfIn PDF document text
- http://principessavencanice.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608c80ed4dfcd---19520390446.pdfIn PDF document text
- https://premiumvipbusiness.com/wp-content/plugins/super-forms/uploads/php/files/bbd8524361d0049e396b254a0311865d/30809464839.pdfIn PDF document text
- http://yaqeen-eg.com/userfiles/file/74215942362.pdfIn PDF document text
- http://bike-aholic.com/UserFiles/file/93308872345.pdfIn PDF document text
- http://clearspace-design.com/CKEdit/upload/files/55610456841.pdfIn PDF document text
- https://selispin.com/calisma2/files/uploads/80039837562.pdfIn PDF document text
- https://kvgrup.com.ua/wp-content/plugins/formcraft/file-upload/server/content/files/16083ba069b657---18357329558.pdfIn PDF document text
- http://rivucota.com/upload/files/56087647550.pdfIn PDF document text
- https://www.hotel-palladium.gr/wp-content/plugins/super-forms/uploads/php/files/vqpe4665iqk6m8gdojnai22rmp/weladirufoxigo.pdfIn PDF document text
- https://wulf-sanitaer.de/wp-content/plugins/super-forms/uploads/php/files/iqmmde5pfce97t55k4aibtrcrf/75045535204.pdfIn PDF document text
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/6naE_Nh8_CY/uplcv?utm_term=operations+manual+template+easaPDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000de42.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDE42 | 17504 bytes |
SHA-256: 676628b2ac58e35cc5b9a179a1649e164eeae747b1d6d2e81c75201125f3d2fc |
|||
font_01_sfnt_off00010bd5.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10BD5 | 10536 bytes |
SHA-256: 9c23c3684a2cd13282159ff3b67f5aab7a4b697c7d6264b0b2bcf976cdbf7a63 |
|||
font_02_sfnt_off000123d9.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x123D9 | 16792 bytes |
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.