MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The 'SE_BROWSER_INSTALL_LURE' heuristic suggests the document's primary purpose is to trick the user into installing a fake browser extension or update, a common social engineering tactic. The presence of numerous links to compromised CMS upload storage and disposable hosting further supports a malicious campaign, likely involving phishing or malware distribution.
Machine Learning
- Nyx PDF Classifier malicious score 0.9786
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Browser extension / update installation lure high SE_BROWSER_INSTALL_LUREDocument tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://lawyerupsmart.com/tempimg/file/22727492754.pdf In PDF document text
- https://www.straightmyteeth.com/wp-content/plugins/super-forms/uploads/php/files/d7c5c19f4bb6de4b641f3dfb4dae2dd0/rigin.pdfIn PDF document text
- http://limpiasol.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609e042d1322d---luloto.pdfIn PDF document text
- https://kolodezrus.ru/wp-content/plugins/super-forms/uploads/php/files/904f4196681e518cd522dd43e9fc508b/31709538982.pdfIn PDF document text
- https://masterok-kovka.ru/wp-content/plugins/super-forms/uploads/php/files/93d6e4b2d52eb96cd94f01d0f40ebba2/27644005666.pdfIn PDF document text
- https://www.lang-mayer.de/wp-content/plugins/formcraft/file-upload/server/content/files/160aa08f27d42e---zateludagojewi.pdfIn PDF document text
- http://irmascaritasdejesus.org.br/wp-content/plugins/formcraft/file-upload/server/content/files/1607a38df821d2---85225628715.pdfIn PDF document text
- https://www.hit-education.com/wp-content/plugins/super-forms/uploads/php/files/387vor2du1dcp5v6ie7q2jg6fs/64835259896.pdfIn PDF document text
- http://pvsystexperts.com/wp-content/plugins/super-forms/uploads/php/files/vgbrldqmt5v9k8tr68e9luud83/nageruzonosu.pdfIn PDF document text
- https://jetzterstrecht.hamburg/wp-content/plugins/super-forms/uploads/php/files/etrbj63o951ngfbh6bdq2mrjp1/85774404988.pdfIn PDF document text
- http://axiomestates.com/userfiles/file/baxaduruferu.pdfIn PDF document text
- http://dzbnf.com/upload/file///zebujapitenupikogolutonet.pdfIn PDF document text
- https://www.americanapi.com/wp-content/plugins/formcraft/file-upload/server/content/files/160964373620ed---95682568383.pdfIn PDF document text
- https://engineeredrepinc.com/wp-content/plugins/super-forms/uploads/php/files/082e4621b084afbe5094a588a909f3f9/momivogagepiwaz.pdfIn PDF document text
- http://www.cuerpomenteyespiritu.es/wp-content/plugins/formcraft/file-upload/server/content/files/1609f858598d56---lixuneromoxor.pdfIn PDF document text
- https://andrejc.si/files/file/mawuduxotab.pdfIn PDF document text
- http://amtusa.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609b5d17c888a---gonovijasekugab.pdfIn PDF document text
- http://bidmitt.com/img/files/file/rufinuwamoluzawodenome.pdfIn PDF document text
- http://www.tif.cn/wp-content/plugins/super-forms/uploads/php/files/ikeau1toi871o8m29a677pcmgt/3785571508.pdfIn PDF document text
- http://cnhhgj.com/upfiles/userfiles/file/13089013011.pdfIn PDF document text
- http://thesetnews.com/images/fckeditor/file/20068850515.pdfIn PDF document text
- http://nguyenquangcomputer.com/upload/ck/files/fujubapemewopifale.pdfIn PDF document text
- https://maxim-catering.de/wp-content/plugins/super-forms/uploads/php/files/ik2u27miamevk37u0a709ckkdh/jopewitadenag.pdfIn PDF document text
- http://fonnepal.org/userfiles/file/2664407530.pdfIn PDF document text
- https://xn--78-6kce7dfhb9dwb.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/b37ce075ebeec749fd141c34cc6bb75a/rejanekojuref.pdfIn PDF document text
- http://abwingsva.com/uploads/files/kabomofaluvogonivipul.pdfIn PDF document text
- https://feedproxy.google.com/~r/Uplcv/~3/DOqCt-cVA4I/uplcv?utm_term=how+to+hack+pubg+krPDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ec3f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEC3F | 17304 bytes |
SHA-256: 4610ee8a00d362a26ec362822242d7616c8540ffbc07dba2109b9a05af41c1eb |
|||
font_01_sfnt_off000105d8.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x105D8 | 10520 bytes |
SHA-256: 39a67396407ea64e0ac0806b9c651ec29fc8ece9a644f6a7c40ce0cb7fd0902d |
|||
font_02_sfnt_off00011dc5.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11DC5 | 17912 bytes |
SHA-256: d5a52d415297e0a3dbf8da41103b32440d626767561aae203f78380a44b75609 |
|||
font_03_sfnt_off00014d09.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x14D09 | 16792 bytes |
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.