MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The PDF contains numerous embedded URLs pointing to compromised WordPress sites and other domains, indicating a link farm designed to manipulate search engine results or distribute malicious content. The ML classifier strongly flagged this PDF as malicious, supporting the assessment of a malicious intent. No scripts were extracted, but the sheer volume of external links suggests a primary function of redirecting users to potentially harmful external resources.
Machine Learning
- Nyx PDF Classifier malicious score 0.9951
Heuristics 5
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://oniceh.ru/uplcv?utm_term=bypassing+a+ballast+for+led+lights
- https://nscs.org/wp-content/plugins/super-forms/uploads/php/files/4872021ce49adecf3a8f5c341847df74/28266681675.pdf
- https://samiznojmo.cz/wp-content/plugins/super-forms/uploads/php/files/29d523f0f17029dd8b259714e83a896c/lefus.pdf
- https://christianboudreau.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b88ed2b36b4---riboxababobotevetika.pdf
- http://neodev.space/wp-content/plugins/formcraft/file-upload/server/content/files/16084ca719cdde---29920508172.pdf
- https://janeunchained.com/wp-content/plugins/super-forms/uploads/php/files/ofofkchf9ng13nb30po5ssianb/27579770495.pdf
- https://tavcam.com/upload/ckfinder/files/busijoforuwimoki.pdf
- https://www.travelticket.com.au/wp-content/plugins/super-forms/uploads/php/files/77r9en21ng5hltg7bfc860mbvv/wejazarijowipovagolote.pdf
- http://habitat3.eu/userfiles/files/75677221793.pdf
- https://thedestinbeachhouses.com/wp-content/plugins/super-forms/uploads/php/files/1bfe60e7af4cceb7f6521d0b35edcd32/79459397276.pdf
- https://www.cedicar.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608ae12009392---4599739739.pdf
- https://www.rockandroll.blog.br/wp-content/plugins/super-forms/uploads/php/files/ahsfd9k653p3lems0jtm5augsj/mimin.pdf
- https://goldenparadisestsimons.com/wp-content/plugins/super-forms/uploads/php/files/c99176c36596418108cf2067b2978351/xewazixez.pdf
- http://moscowprice.com/content/xuploadimages/file/99670221481.pdf
- https://mariellatriolo.it/public/file/73662582503.pdf
- https://arendic.cl/files/wajifezogovexo.pdf
- http://www.jcca.co.in/wp-content/plugins/formcraft/file-upload/server/content/files/160c3faece506d---83556731741.pdf
- http://starsunited.at/upload/files/lesetijexewilodegidanepa.pdf
- https://atolab.it/wp-content/plugins/super-forms/uploads/php/files/2785f444de25c644a80e604e4d97616f/kuwigoviwezikera.pdf
- https://adbetelparaguay.com/wp-content/plugins/super-forms/uploads/php/files/8fe3bdf07d9979f1fcf3c1fcb6dc55f0/98592543297.pdf
- http://extreamtuning.ru/wp-content/plugins/formcraft/file-upload/server/content/files/1608caa18b62d8---pefuvu.pdf
- http://optikametuje.cz/userfiles/file/12150527466.pdf
- http://vhktn.at/images/content/files/38515074289.pdf
- https://www.syah.org/wp-content/plugins/super-forms/uploads/php/files/dccbce03ac45f994b47551d0b8799a15/numiviw.pdf
- http://cathyknightwaite.com/ckfinder/userfiles/files/99671813870.pdf
- http://stolizstekla.ru/userfiles/file/repezureziw.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e6a3.bin8d790015ba4002ece08fcc56fe14978b8c71f5e44a9267d6e9c661364ec9d35a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE6A3 | 11084 bytes |
font_01_sfnt_off00010008.bin7a677516d580a98e6130677485c1f58eb720b5ec9c1b9f5d3962cdbb9a50c876 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10008 | 17284 bytes |
font_02_sfnt_off00012ce2.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12CE2 | 16792 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.