MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The PDF contains a large number of external URIs, many of which point to compromised WordPress sites. The ML classifier strongly indicates maliciousness, and the heuristic firings suggest this PDF is part of a link farm designed to distribute malicious content or manipulate search engine results. No scripts were extracted, but the structure and URL distribution are highly suspicious.
Machine Learning
- Nyx PDF Classifier malicious score 0.9956
Heuristics 5
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://www.tonygssoulfood.com/wp-content/plugins/super-forms/uploads/php/files/f4c6f199e9dca346b07d1c40285be7b8/6521013618.pdf
- http://eyupsifalibitkiler.com/resimler/files/28560900476.pdf
- http://fobosgrunt.ru/files/ckfinder/files/23861477916.pdf
- https://www.hediyevideo.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a31953a1b55---90776211649.pdf
- https://comodee.com/wp-content/plugins/formcraft/file-upload/server/content/files/16088564842cde---43562272612.pdf
- http://sip7.online/wp-content/plugins/super-forms/uploads/php/files/f5e56212fde844bdae22e843df5ae5cf/54780027182.pdf
- https://nslogisticservice.com/userfiles/files/58709012992.pdf
- http://slowjamsundays.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a748a49c94f---kunuridowakejeze.pdf
- https://verandapattaya.com/userfiles/files/65702670243.pdf
- https://allcreaturesinc.com/files/files/93937015949.pdf
- http://optikametuje.cz/userfiles/file/potabokazowamepob.pdf
- https://autotrilogy.com/wp-content/plugins/super-forms/uploads/php/files/9bddcf55555da7b790d800b77ae70669/18412591438.pdf
- https://rhdplumbing.com/wp-content/plugins/super-forms/uploads/php/files/fb9937bd81b4ec17cbb809591cf5e004/bisezarivafugo.pdf
- https://www.citysecurity.org.uk/wp-content/plugins/super-forms/uploads/php/files/5ukujb841b7l5plr46t3v2l6nk/69534143366.pdf
- https://masterok-kovka.ru/wp-content/plugins/super-forms/uploads/php/files/c63299c37428769b5804e42a90e55398/47408006651.pdf
- http://www.uvhk.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b993eb284c2---nugirenajexujomupaso.pdf
- https://www.potterycommercials.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160853324a5857---xozomadifuzijukokibase.pdf
- http://adoriantarla.ro/wp-content/plugins/formcraft/file-upload/server/content/files/1609b2829a9744---95885357373.pdf
- http://gingerwooddesign.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c01751c2b39---5176796819.pdf
- http://curry-box-deluxe.de/userfiles/file/1084652674.pdf
- http://tgtech-auto.com/userfiles/file/63019208639.pdf
- http://alimentosldm.com/userfiles/file/xuxesitozaxijusi.pdf
- http://evabody.ro/wp-content/plugins/formcraft/file-upload/server/content/files/1608425d3696fd---sozebewuluwebimafon.pdf
- https://feedproxy.google.com/~r/Uplcv/~3/YTWXjIUwRh0/uplcv?utm_term=giant+covalent+molecules
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e8c8.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE8C8 | 16792 bytes |
font_01_sfnt_off000100da.bin54d70a65ae35bc7825e791b51b48a2e60259efe5ed9efb6952f25dd1afe9f978 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x100DA | 17324 bytes |
font_02_sfnt_off00012e77.bin88dda1fbf557ad63c55ca59bb0e12c824e419b57f4d6445b980aa7005fa6d39f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12E77 | 10496 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.