MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
The file is identified as malicious by ML classifiers and ClamAV, with heuristics indicating it's an advance-fee scam lure. It contains numerous links to PDF files hosted on compromised WordPress sites, suggesting a link farm designed to distribute malicious content. The document body, though heavily obfuscated, contains references to free movie downloads, a common lure for such scams.
Machine Learning
- Nyx PDF Classifier malicious score 0.9995
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LUREDocument contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.fotografoeventimilano.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607c5c8654989---71517091857.pdf
- http://upperdublin1970.com/clients/3/3b/3b2fb281f4756d03d37a29c41a8c1d95/File/70457493346.pdf
- https://businesslife.com/content/file/fajetadenoniwugi.pdf
- https://stillwaiting.org/userfiles/file/fulipepomufefam.pdf
- https://www.etbsupplies.com/wp-content/plugins/formcraft/file-upload/server/content/files/160982be770d98---46583654178.pdf
- https://www.mixedclass.com.au/wp-content/plugins/super-forms/uploads/php/files/6d0vlil0cochc2j50fk4mirie7/rosanurugip.pdf
- https://petroblend.com/wp-content/plugins/formcraft/file-upload/server/content/files/16076b453c78c7---82616667757.pdf
- https://veritiesinstitute.com/wp-content/plugins/super-forms/uploads/php/files/5da62995c3cfe5abbb53cdcba6a3db94/kedazutanim.pdf
- https://mamadona.ru/ckfinder/userfiles/files/60563211307.pdf
- https://asaptransfers.co.uk/wp-content/plugins/super-forms/uploads/php/files/air9o5299ppgk4b7ptam96j8j5/28374443956.pdf
- https://www.rath-catering.de/wp-content/plugins/formcraft/file-upload/server/content/files/1607d8bf526335---98240556476.pdf
- http://ansonseatery.com/uploads/files/95298597299.pdf
- https://www.a2zmedical.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/16090322f9a76d---14753956157.pdf
- https://www.cocochan.com.pk/wp-content/plugins/super-forms/uploads/php/files/04ec8f7c07d49bbb24e4dc7f62241213/kubokarajumomaza.pdf
- https://tlpnw.com/wp-content/plugins/super-forms/uploads/php/files/1d3c9517fa56fa12de9e31e108fa7893/xapadesuwasafagexuriwanup.pdf
- http://www.cuerpomenteyespiritu.es/wp-content/plugins/formcraft/file-upload/server/content/files/160752b4590873---pemogekenawurud.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://feedproxy.google.com/~r/skout/mBVl/~3/DOqCt-cVA4I/uplcv?utm_term=twilight+breaking+dawn+part+2+full+movie+free
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
- http://scripts.sil.org/OFL
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_005_off0001662b.bin251ea6b9bd683ac6a722a3041247bc8db6f2f7335eaf32f069eb70a798a49439 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x1662B | 22012 bytes |
font_00_sfnt_off00011c5c.bin546acd1a5a47648eedd65b65f2bc63d7c13a5797fedbece43ef8ae6b2ec800f9 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11C5C | 2988 bytes |
font_01_sfnt_off0001270e.bin008d1afcbba3087c11e14794e335350f5fc6e029894023aa3f8b61957b6be806 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1270E | 5716 bytes |
font_02_sfnt_off00013a6c.bin65b5282682351649f81a7fd9862c56f03dfb86f3457ca2e2c71a08bdb8e77181 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x13A6C | 13720 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.