MALICIOUS
176
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.001 User Execution: Malicious Link
The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing or trojan. Heuristics indicate it contains a link farm and a callback lure, suggesting it's designed to trick users into contacting a malicious entity. The presence of numerous external URLs, many hosted on compromised or disposable domains, further supports a phishing or scam campaign.
Machine Learning
- Nyx PDF Classifier malicious score 0.9989
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://toptenstudy.com/upload/files/BodyFile__60E15BDAD1CB4.pdf In PDF document text
- http://www.adanakursmerkezi.com/wp-content/plugins/formcraft/file-upload/server/content/files/160749e8a38eb6---rozoreveduku.pdfIn PDF document text
- http://evola.it/userfiles/files/vudejeb.pdfIn PDF document text
- http://dsm-trhs68.com/clients/8/81/818e764d3414495a915a5f66638dc9bf/File/41316365297.pdfIn PDF document text
- http://www.akutrans.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608de9f959b1e---lawukafurotodatogilivo.pdfIn PDF document text
- http://drvision.org/wp-content/plugins/formcraft/file-upload/server/content/files/1609841ca933ff---56391649137.pdfIn PDF document text
- http://zadonskiy.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160a9133116f65---xajuxuzozafesimer.pdfIn PDF document text
- https://nilsahost.com/calisma2/files/uploads/33271523454.pdfIn PDF document text
- https://veritiesinstitute.com/wp-content/plugins/super-forms/uploads/php/files/23b0a9e574262b38d97d7e7ec08a9753/82924740438.pdfIn PDF document text
- https://www.propertyfilevault.com/wp-content/plugins/super-forms/uploads/php/files/401d8b1e7110ebf86b929bf35b6b325f/totikad.pdfIn PDF document text
- http://totalfinance.ca/wp-content/plugins/formcraft/file-upload/server/content/files/161034b79953be---teferiluro.pdfIn PDF document text
- https://pluviaterra.mx/wp-content/plugins/super-forms/uploads/php/files/8e9e523f247b1472893d5cd55ea7cc6c/vidot.pdfIn PDF document text
- http://sts-logistika.ru/wp-content/plugins/super-forms/uploads/php/files/e3e7d628efd21d5ba20aa63f80ce64c5/64731124245.pdfIn PDF document text
- http://www.alfapilates.pl/upload/file/11728361414.pdfIn PDF document text
- https://goactive.hu/wp-content/plugins/super-forms/uploads/php/files/f3a975cdc93a7191d90d5f51d1f646a5/29942570375.pdfIn PDF document text
- https://abofahed.com/userfiles/file/48137917627.pdfIn PDF document text
- http://kimhoatra.vn/upload/fckimagesfile/48639142135.pdfIn PDF document text
- https://studiorampinelli.com/file/xuvimukego.pdfIn PDF document text
- https://kvartira-zalog.ru/wp-content/plugins/super-forms/uploads/php/files/43a2ca2758e733b918e265720a70c72d/velekujinijarajaxalu.pdfIn PDF document text
- https://www.adoz.cz/ckfinder/userfiles/files/12067027581.pdfIn PDF document text
- https://www.vedaaz.com/wp-content/plugins/super-forms/uploads/php/files/71639f27ae43993825727ccb5f5c38f4/wewokudodibuto.pdfIn PDF document text
- http://urjabatteries.in/userfiles/file/foxopupatabomelimuguj.pdfIn PDF document text
- http://salocchi.it/userfiles/files/dazovi.pdfIn PDF document text
- http://esrafisek.com/images_upload/files/86440661703.pdfIn PDF document text
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/cv9VXjIrmdE/uplcv?utm_term=numero+de+ruta+de+banco+popular+en+puerto+ricoPDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000fe95.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFE95 | 16792 bytes |
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
|||
font_01_sfnt_off000116a7.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x116A7 | 18868 bytes |
SHA-256: 11699b37180e02ff320b7a84d58fd2cefe7bf76703d10e2d96f7eb1789d5fc95 |
|||
font_02_sfnt_off0001477e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1477E | 10724 bytes |
SHA-256: cd65deb6a4450fea0a63f078c0ad0901e8269e7f2ee77e0388c81929ea3730bf |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.