MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF document exhibits characteristics of an advance-fee scam, using lures related to lotteries, prizes, and parcel delivery. It contains numerous embedded URLs pointing to compromised WordPress sites and other disposable hosting, likely serving as part of a link farm to distribute malicious content or phish for information. The ML classifier and ClamAV detection strongly indicate malicious intent, classifying it as a phishing trojan.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LUREDocument contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://wastran.ru/uplcv?utm_term=the+cost+of+goods+available+for+sale+is+calculated+as
- https://veritiesinstitute.com/wp-content/plugins/super-forms/uploads/php/files/ecb108bb40f8e47e4f6370efdc9d48c5/nikutobisu.pdf
- http://bestbuyfromindia.com/userfiles/file/29433938949.pdf
- https://imapcb.org/wp-content/plugins/super-forms/uploads/php/files/jcv8skj7im9ddbmtlgnpq7ba57/75039192245.pdf
- http://daugiavanthienphuoc.com/media/ftp/file/zajirolexusigazibakenesuv.pdf
- http://panda-es.tokyo/yamituki-n/uploads/files/xigir.pdf
- http://pension-erlkoenig.de/img/editor/file/38786297487.pdf
- https://www.lipfish.no/wp-content/plugins/formcraft/file-upload/server/content/files/16092f1ea494c2---52330982455.pdf
- https://www.dazzlingdecor.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160c38326d1d82---daresazalawuzukido.pdf
- http://gingerwooddesign.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a978b43369d---gimelakom.pdf
- http://www.k-24.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606c8f4d15022---zedagaba.pdf
- http://am-assets.com/aom/magnolia/userfiles/file/68217255713.pdf
- http://subventionsbetrug.de/wp-content/plugins/super-forms/uploads/php/files/s2d5krji1h1vjfi0qd7lnt4vhm/fomila.pdf
- https://www.infrascale.com/wp-content/plugins/super-forms/uploads/php/files/024e9bab2d2caca242d20c9ebed3da3c/58937026747.pdf
- http://www.onegelha.com/wp-content/plugins/super-forms/uploads/php/files/4069833db2f1a38355902afe2cd45bfa/70978026125.pdf
- http://kaufdeinauto.de/wp-content/plugins/formcraft/file-upload/server/content/files/160a1eda5c6861---pisoguwilo.pdf
- http://www.sarajevo-inn-grunewald.com/wp-content/plugins/formcraft/file-upload/server/content/files/160957e48cc548---rikafap.pdf
- https://unique.global/wp-content/plugins/super-forms/uploads/php/files/f22a02a2ef5ce1b7b39546131188aa27/35558731515.pdf
- http://paintingservicesonline.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1608a56bda2989---32560596358.pdf
- http://grandinhr.eu/images/user/file/nulurupaluma.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e15e.bine73e8b2976c96faac511dbaebb06a980260651c28f091d13e4b509972d21acd2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE15E | 5432 bytes |
font_01_sfnt_off0000f3dc.bindab0bc17a4a6a419e704fb6854a6ca59292a3482a55998c6f03249a34a2ee7c9 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF3DC | 11184 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.