MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
This PDF file was detected as malicious by ClamAV and an ML classifier, exhibiting characteristics of a phishing lure. The document contains numerous links, many pointing to compromised WordPress sites or disposable hosting, suggesting an attempt to redirect users to malicious content. The presence of PDF_URI and SE_PAYMENT_REDIRECT_LURE heuristics indicates a focus on financial redirection, a common tactic in business email compromise schemes.
Machine Learning
- Nyx PDF Classifier malicious score 0.9942
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LUREDocument describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://wastran.ru/uplcv?utm_term=rm+to+dollar PDF link annotation
- https://amitadevnani.com/userfiles/file/94205641296.pdfIn PDF document text
- https://nazragame.com/calisma2/files/uploads/janibefofoz.pdfIn PDF document text
- https://alfa-clining.ru/wp-content/plugins/super-forms/uploads/php/files/dee2ed124d68d55cfbd31d87f41ddc92/43433240505.pdfIn PDF document text
- https://goldengrowers.com/wp-content/plugins/super-forms/uploads/php/files/612076f77db84cf6d85bf604a1184044/bapilebipa.pdfIn PDF document text
- https://www.propertyfilevault.com/wp-content/plugins/super-forms/uploads/php/files/75d1825ec5a73043cba6d3ee23dc514a/vasuwibubigugudasajamo.pdfIn PDF document text
- https://www.frontierexim.com/wp-content/plugins/super-forms/uploads/php/files/cn2ej4du5l985s7ckue536dmm7/waxatebufuraxurirotunove.pdfIn PDF document text
- http://apexibd.com/uploads/fck_uploads/file/22743639736.pdfIn PDF document text
- http://ipmarketing.net/userfiles/file/musolebiruferezufidowozuf.pdfIn PDF document text
- http://www.nationaalgolfcongres.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160b31c56b3ba6---62597399213.pdfIn PDF document text
- http://www.carolglassman.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a6a1377c8af---72163437903.pdfIn PDF document text
- http://matrixuniverzum.eu/wp-content/plugins/formcraft/file-upload/server/content/files/160cb14012a857---zuvinup.pdfIn PDF document text
- https://noks.cz/wp-content/plugins/formcraft/file-upload/server/content/files/1608063bf835ff---dulogula.pdfIn PDF document text
- https://mediabandit.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609af83bc2ed0---xolebiran.pdfIn PDF document text
- http://fszhenjia.com/upfolder/e/files/20210530082641.pdfIn PDF document text
- http://shortguycentral.com/ck_uploads/files/56083425521.pdfIn PDF document text
- http://ahxxzx.com/userfiles/202106/file/wizajo.pdfIn PDF document text
- http://gillsandgeckos.com/userfiles/file/34634781393.pdfIn PDF document text
- http://c2mag.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c05cf650e2f---pidabujabefamap.pdfIn PDF document text
- https://glosunspa.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609cc00d7891a---31659858568.pdfIn PDF document text
- http://casinodanmarkjackpot.dk/userfiles/file/85649124529.pdfIn PDF document text
- https://intelean.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607683b9e56af---dasafagijipok.pdfIn PDF document text
- https://www.alphaveneers.com/wp-content/plugins/super-forms/uploads/php/files/73847c9f9c50df6e17f9fa8dc97b938b/49878860819.pdfIn PDF document text
- https://zlatartopalovic.rs//files/lalasupobibemiwiviga.pdfIn PDF document text
- https://mission4recruitment.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606cfa181819e---26518068567.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000faee.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFAEE | 16792 bytes |
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
|||
font_01_sfnt_off00011300.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11300 | 17764 bytes |
SHA-256: c42383fddead57e6c93489891ed77965de5dcb98fbd55ea262e1d3b5e2c9f869 |
|||
font_02_sfnt_off000141b9.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x141B9 | 9960 bytes |
SHA-256: bbe0a28daa7bedf32984f2c058cbda50b26599287f7070b7bfe19788bbca6f5a |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.