MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The sample is a PDF document identified as malicious by ML classifiers and ClamAV. It contains numerous embedded URLs, many pointing to compromised WordPress sites, suggesting it functions as a link farm. The primary purpose appears to be directing users to external resources, likely for phishing or to download further malicious content.
Machine Learning
- Nyx PDF Classifier malicious score 0.9942
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://huntic.ru/uplcv?utm_term=household+items+worksheets+pdf
- https://ols.lighting/wp-content/plugins/super-forms/uploads/php/files/fb2ee46b219cc2f272a23e0a5a0350ea/53629766192.pdf
- http://www.sealjet.mn/pictures/files/kegaximimopidawesaba.pdf
- https://marciasmithconsulting.com/wp-content/plugins/super-forms/uploads/php/files/f0261d1154a07d43baa712fa651fb537/nuwuvorotut.pdf
- https://cedarcreeksauce.com/wp-content/plugins/super-forms/uploads/php/files/af5b2fa8a6fe2b5636fb5492a1c3d869/fufuwulox.pdf
- https://vietnaminsight.biz/ckfinder/userfiles/files/sawememijanime.pdf
- http://zangerlelaw.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/dajilukawatapuda.pdf
- http://songhakbbq.com/uploads/files/feworosawasurap.pdf
- https://pyhm.ca/wp-content/plugins/super-forms/uploads/php/files/vlgphr1g4aotmr43gma5fmair2/jifoxetokof.pdf
- https://www.americansummercamps.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608425b06df30---63062425464.pdf
- http://tks-forever.com/upload/2021/07/14/file/gazitaxamemaz.pdf
- https://mytutr.com/wp-content/plugins/super-forms/uploads/php/files/0e21964bf27fa5793624ff6ac5f7e1fd/9351726930.pdf
- https://glowskincare.net/wp-content/plugins/super-forms/uploads/php/files/cf76afb7720f25e6aea28767ea46ae99/kemimit.pdf
- https://trellisdundee.com/wp-content/plugins/super-forms/uploads/php/files/641a545ac12913d5f337c23bba8e967c/57497585359.pdf
- http://gapp.fr/medias/files/pivuwuwafoluwasexugipuk.pdf
- http://acquadiqualita.it/ckfinder/userfiles/files/dowitevonimezo.pdf
- https://buddingheights.org/wp-content/plugins/formcraft/file-upload/server/content/files/160b70088d5c68---56557382146.pdf
- https://earthchartercities.org/wp-content/plugins/formcraft/file-upload/server/content/files/1607e2d3e28ecf---79719811872.pdf
- https://magerp.org/upload/files/24434876200.pdf
- https://louvre.lv/res/wysiwyg/file/62461250493.pdf
- http://sushikyototogo.com/uploads/files/91006874139.pdf
- https://www.demetagras.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606d55ddcf2fa---96760355072.pdf
- https://laser-arena.ch/wp-content/plugins/formcraft/file-upload/server/content/files/16087d4014e2a5---bimusowalukejox.pdf
- http://hi-reid-solutions.com/wp-content/plugins/super-forms/uploads/php/files/4635a70dbbc443b42fb072c700e08dee/77425737576.pdf
- https://aronabritcan.com/userfiles/file/59587626382.pdf
- http://www.stratcareerservices.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606f9045efe27---tesefilu.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f032.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF032 | 16792 bytes |
font_01_sfnt_off00010849.bin44400a3915419908715da07bb2bf053d959c0f72fe12ad6262953acb414ec9ae |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10849 | 10768 bytes |
font_02_sfnt_off0001210d.bin07dde648ab77fbad2d82c584810a9881adeb7edc47c2338d3d8fc295ee58f73e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1210D | 17576 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.