MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains numerous links to external websites, many hosted on compromised WordPress sites, suggesting a phishing or malware distribution attempt. The ML classifier and ClamAV detection strongly indicate malicious intent. While no scripts were explicitly extracted, the PDF structure and embedded links are indicative of a malicious document designed to redirect users to potentially harmful content.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://medvor.ru/uplcv?utm_term=telling+the+time+worksheets+year+4
- https://bistro-8.com/wp-content/plugins/super-forms/uploads/php/files/9b86bea7d70657457b9c71d064d32288/piwenojipubidatobav.pdf
- http://brandiassociati.it/userfiles/file/nigemaz.pdf
- https://asigurareingermania.ro/wp-content/plugins/super-forms/uploads/php/files/gt7h73ic00bqfhgvs6nfck6fkm/zemumagalokatawunagi.pdf
- https://polinagerz.ru/wp-content/plugins/super-forms/uploads/php/files/4satnr7mj3q0b4do8h0eb6it6h/61355344370.pdf
- https://arvikabc.com/images/uploadedimages/file/7254521634.pdf
- http://www.bridalchapel.com/wp-content/plugins/formcraft/file-upload/server/content/files/16088332a94921---fojoresurabinunom.pdf
- http://exactblue.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607c9a2c7fcea---towidokabaridekagojebuzes.pdf
- http://protech.com.ng/wp-content/plugins/formcraft/file-upload/server/content/files/160a2bc676d5ac---runadezekit.pdf
- https://www.bouwenaaneensterkwerkgeversmerk.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160a8b7d0689e1---69750798444.pdf
- http://finsura-lifedirect.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1606c6b6fcd934---jimijudilejikutidigibulu.pdf
- http://snookerfootball.eu/wp-content/plugins/formcraft/file-upload/server/content/files/160ac35e1ea77d---rosivibaxobopijogeziwuv.pdf
- https://drahmetbostanci.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a15a817fcc7---1291459695.pdf
- http://phenix-security.fr/wp-content/plugins/formcraft/file-upload/server/content/files/16090664a5ad41---43521361419.pdf
- http://drivescuolaguida.it/userfiles/files/noxebilawalexu.pdf
- https://www.cedicar.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607d162e5e333---pobitumogi.pdf
- https://dispomydeal.com/wp-content/plugins/super-forms/uploads/php/files/d09df606b3f4e4881ec197859b65e7ba/kudikadojamexuw.pdf
- http://www.catalogodecineargentino.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a95d1da1ce7---piduduf.pdf
- https://www.tctnanotech.com/wp-content/plugins/super-forms/uploads/php/files/674c42c40f3f3c9c9807e3a6b0c6c848/jemezido.pdf
- https://kindliving.org/wp-content/plugins/super-forms/uploads/php/files/tmp/62054935593.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://bxthirteen.wpengine.com/wp-content/plugins/super-forms/uploads/php/files/97c545af9143081f0855090c2daed389/58834849148.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000fe23.binbf2ddab2292d5eca55c298561a3aed75e89cc68d396915745e62d9e2b90f341f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFE23 | 5392 bytes |
font_01_sfnt_off0001106a.bina4dc99c40824e5cdc446f75a23d4d67f5bf9abd5ba20d923b0e94676983fe438 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1106A | 10400 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.