MALICIOUS
164
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF contains numerous external URIs and is flagged as a link farm, suggesting a phishing or SEO manipulation attempt. The embedded JavaScript stream and ML classifier further indicate malicious intent. ClamAV detection confirms this as a phishing trojan.
Machine Learning
- Nyx PDF Classifier malicious score 0.9905
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://jingluo.net/uploadfiles/files/18779775772.pdf
- http://impressivetravelvietnam.com/upload/files/60473200966.pdf
- https://office-agglo-larochelle.fr/userfiles/file/runuwaxetizopijaxoz.pdf
- https://air-separation-supplier.com/d/files/77966392565.pdf
- https://buyafranchise.org/files/files/77833558168.pdf
- http://mitcostruttori.it/userfiles/files/mexetov.pdf
- https://elemonbg.com/Files/File/lunawokudinuse.pdf
- http://ondrejkocar.cz/img/file/kunugodugug.pdf
- https://betenrealestate.com/sites/default/files/file/88088294864.pdf
- https://aurorabersinar2.com/contents/files/5671542133.pdf
- https://asigurareingermania.ro/wp-content/plugins/super-forms/uploads/php/files/i73782lq3lt39niqohivtkt0gr/xareradelobupowo.pdf
- http://uniondeautoescuelas.com/wp-content/plugins/formcraft/file-upload/server/content/files/161304bd93ba75---48658580281.pdf
- http://traktor-tv.de/sites/default/files/file/ravuwabiweda.pdf
- https://keiba-like.biz/js/ckfinder/userfiles/files/gazotigisuparatok.pdf
- https://rippa.pt/files/file/kitazinutu.pdf
- https://magnanelli.com/userfiles/file/89840700224.pdf
- https://www.euroservicemilano.it/wp-content/plugins/formcraft/file-upload/server/content/files/16137307312045---demadim.pdf
- http://ihanzao.com/userfiles/file/20210905181121_1092048116.pdf
- http://www.vandiestbrandstoffen.be/uploads/files/33386961071.pdf
- http://denge.aero/upload/files/vewakudo.pdf
- https://10glazsikeyrosa.ru/file/gapiwuvum.pdf
- https://coastalholidayproperty.com/ckfinder/userfiles/files/jezok.pdf
- https://creativesilhouettes.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1613c777fb4c70---60176254049.pdf
- http://lookupagency.es/wp-content/plugins/formcraft/file-upload/server/content/files/161352aba1c984---zasegakosudas.pdf
- http://parkwestresidences.com/wp-content/plugins/formcraft/file-upload/server/content/files/1614008eb6dfb6---22087502163.pdf
- http://eros-arena.com/eros/userfiles/file/48361614453.pdf
- http://harryreichert.de/uploaded_pics/News/file/xasogizekewose.pdf
- https://cfaegaianascente.pt/portal/userfiles/files/mipobafidowuzonozefuko.pdf
- https://feedproxy.google.com/~r/Uplcv/~3/1xuhb7AK25c/uplcv?utm_term=fifa+game+for+android+offline
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f474.binbe4d895acbdd1df8d1ca54aa18911bccaae96d700d2a86b7639b83aca39a8db7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF474 | 16780 bytes |
font_01_sfnt_off00011ff6.bin78ae0fce0ec94ed96dba2bfdeec424ca4007f5bb091b49670899972c585da50d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11FF6 | 10408 bytes |
font_02_sfnt_off00013737.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x13737 | 16792 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.