MALICIOUS
172
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample is a PDF file containing embedded JavaScript and multiple links to external resources. Several heuristics indicate that the PDF acts as a link farm, directing users to potentially compromised websites hosting further malicious content. The presence of embedded JavaScript and the ClamAV detection as 'Pdf.Phishing.Trojan' strongly suggest malicious intent, likely to deliver a phishing lure or a second-stage payload.
Machine Learning
- Nyx PDF Classifier suspicious score 0.2990
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINKPDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://juraganmonyet.com/contents/files/zegidojojugenutikew.pdf In PDF document text
- http://donauwell.at/userfiles/file/37066239167.pdfIn PDF document text
- https://getracemirates.com/userfiles/files/37262832121.pdfIn PDF document text
- http://af.ssla.ru/images/fornews/files/33483712887.pdfIn PDF document text
- https://gemwares.com/userfiles/file/pubevodanugosizotisege.pdfIn PDF document text
- http://stellar.ru/ckfinder/userfiles/files/gapiwefosuxasi.pdfIn PDF document text
- http://www.patricktennis.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1613fb90ad2355---zugobenibaruwemilur.pdfIn PDF document text
- http://aihyang.com/userfiles/file/guforotovotamipuk.pdfIn PDF document text
- http://alessandrobelleseveterinario.eu/userfiles/files/88828768528.pdfIn PDF document text
- http://cautrucpalang.vn/webroot/img/files/24604193566.pdfIn PDF document text
- http://fogathajtohirek.hu/fckfiles/file/3815867303.pdfIn PDF document text
- https://slavica.ru/wp-content/plugins/super-forms/uploads/php/files/0705643af4dede3ca8636a14cbf4eeea/14326804068.pdfIn PDF document text
- http://pavcargo.ru/wp-content/plugins/super-forms/uploads/php/files/9f21b128c602428240aded5048baf3d7/kebijalezana.pdfIn PDF document text
- https://nceptionsolutions.com/wp-content/plugins/super-forms/uploads/php/files/62668aab87f7e3b60e3eea13293e72be/71967434350.pdfIn PDF document text
- http://associatedreclaimed.reclaimedoils.com/userfiles/files/83288458702.pdfIn PDF document text
- https://maftplayer.net/calisma2/files/uploads/kipujalabe.pdfIn PDF document text
- https://travelselection.us/wp-content/plugins/formcraft/file-upload/server/content/files/1613f7b23ab495---75088700866.pdfIn PDF document text
- https://intrigantka.ru/images/userfiles/file/31030352194.pdfIn PDF document text
- https://ambulatorioveterinariosismondi.eu/file/84216541004.pdfIn PDF document text
- http://zrdb-drogbud.pl/Upload/file/xukarasogelumezunede.pdfIn PDF document text
- https://cihangirhotel.com/upload/ckfinder/files/45176773904.pdfIn PDF document text
- https://silatur.com/js/ckfinder/userfiles/files/putirulalewo.pdfIn PDF document text
- http://eventechsite.com/files/files/lelifopem.pdfIn PDF document text
- http://dostavka.markasib.ru/ckfinder/userfiles/files/87246313863.pdfIn PDF document text
- https://feedproxy.google.com/~r/skout/mBVl/~3/YTWXjIUwRh0/uplcv?utm_term=hacked+clash+of+clans+downloadPDF link annotation
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f015.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF015 | 16792 bytes |
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
|||
font_01_sfnt_off00010827.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10827 | 18700 bytes |
SHA-256: 81b402ce0aac332e0587d3b9aa51e145d4917c0b7157cdb487435b23d6756f75 |
|||
font_02_sfnt_off000138fd.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x138FD | 10452 bytes |
SHA-256: 0628ee72171b8771cfc416f061f0575f3dd5348623de552007d19dcf3f05ea81 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.