MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
T1059.007 JavaScript
This PDF file is identified as malicious by ML classifiers and ClamAV, exhibiting characteristics of a social engineering attack (ClickFix). It functions as a link farm, directing users to various URLs, including one that appears to be a download link for Minecraft mods, likely a lure to encourage clicks. The presence of multiple compromised CMS upload links and disposable hosting further supports its malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
ClickFix social engineering attack high SE_CLICKFIXDocument instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://inwebjor.ru/uplcv?utm_term=minecraft+pe+mod+minimap
- http://thm-holding.ru/wp-content/plugins/super-forms/uploads/php/files/19c3421d7cf8852af6ac8b3d86d17fad/4600756705.pdf
- http://www.unidacardoso.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160c3e7683c2e8---52741903474.pdf
- http://kaufdeinauto.de/wp-content/plugins/formcraft/file-upload/server/content/files/160a14153a9d3f---95204128980.pdf
- http://stroynerud-sm.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160a2e5418993b---nimewexo.pdf
- https://ventana-sur.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a72fefdcf02.pdf
- http://a1-automotivegroup.com/upload/files/daxufekirugigotalilip.pdf
- https://www.beadvised.co.uk/wp-content/plugins/super-forms/uploads/php/files/fefad46bc36b4c9a0c4420e8d039be6f/fuwefekab.pdf
- http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609bf49a59fee---tabatebi.pdf
- http://ilovegabal.net/fckeditor/_upload/file/numexame.pdf
- https://hiampelectric.com/wp-content/plugins/super-forms/uploads/php/files/9bc524a9ef37b3f12e554e55ca76f22a/92047234906.pdf
- https://www.financedeclined.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160747a4f3e802---mukivewovivemugidilaz.pdf
- http://rethabise.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/1607d81a03bf82---jelusudozujuk.pdf
- http://projectbudapest.hu/wp-content/plugins/formcraft/file-upload/server/content/files/160a300e5d1708---61544985824.pdf
- http://ovartec.com/wp-content/plugins/formcraft/file-upload/server/content/files/16076e8255e61b---12680075263.pdf
- http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a436303da5b---rezedijiki.pdf
- https://caravanandre.it/wp-content/plugins/super-forms/uploads/php/files/74bd50c744100edb32a55bfbc74f7322/genakofeze.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
- http://scripts.sil.org/OFL
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_004_off0001241f.binf53a3d3f66b9691eb68b49409ecab5825ea869e642f13ab515e85bc7858f8096 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x1241F | 25848 bytes |
font_00_sfnt_off0000ebaa.bin07a47c54a83f49715c2b7886a69a4a9eef9abf62ff329ca288f85829008c4817 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEBAA | 5096 bytes |
font_01_sfnt_off0000fcfa.bin0275f34cce70bda2407745b90772b600a4fcbf7078665f18ca6dd49a1d5e105d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFCFA | 11348 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.