MALICIOUS
164
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF contains embedded JavaScript and numerous external URIs, many of which point to compromised WordPress sites or disposable hosting, indicating a link farm designed to redirect users. The ML classifier and ClamAV detection strongly suggest malicious intent, likely for phishing or malware distribution.
Machine Learning
- Nyx PDF Classifier malicious score 0.9980
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://webmenuplus.com/images/file/bebovunerufiloxa.pdf
- https://interesttour.com/wp-content/plugins/super-forms/uploads/php/files/a0176b98263dd44f7613ffcea0673ffe/boradetof.pdf
- https://vinamex.info/uploads/news_file/81312511783.pdf
- http://rebeccafantarchitetto.it/userfiles/files/zapesamakagegovovekoti.pdf
- http://cokhibaosang.com/media/ftp/file/56229027860.pdf
- http://www.advancedevents.ro/wp-content/plugins/formcraft/file-upload/server/content/files/16096f15a1a47f---99618071971.pdf
- https://atolab.it/wp-content/plugins/super-forms/uploads/php/files/aa3a790d1dfeeaadbf10dd8511afcb39/batebiwewimi.pdf
- https://octvads.site/js/ckfinder/userfiles/files/75030875064.pdf
- http://www.christinemartin.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160a75ebc60e8a---14739798447.pdf
- https://personalloan2u.com/wp-content/plugins/super-forms/uploads/php/files/0c627a7f668c69c8e1a5193c3c202c6d/51002899164.pdf
- https://optimustelecoms.com/ckfinder/userfiles/files/nuzonogajuromasekupi.pdf
- http://compie.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160ba3d5b2895a---37077957923.pdf
- https://upchealth.net/wp-content/plugins/super-forms/uploads/php/files/7c521755d2d1c4c6febcd86deef70db5/nulopuluvirowejo.pdf
- http://tasteofruraleurope.eu/upload/File/60201662702.pdf
- http://www.vivelamusica.es/wp-content/plugins/formcraft/file-upload/server/content/files/1607ebed94011c---ziwojube.pdf
- https://aeternoplanning.com/ckfinder/userfiles/files/77421816645.pdf
- https://laurallo.com/ckfinder/userfiles/files/80260255972.pdf
- http://ophtalmic-overnight.fr/wp-content/plugins/formcraft/file-upload/server/content/files/160adfc0c25cd4---77059105287.pdf
- http://headrepublic.pl/images/files/12637041621.pdf
- https://eghamatkade.com/basefile/eghamatkadecom/files/33656469239.pdf
- http://murzilka.biz/images/uploads/file/20904288788.pdf
- https://bowenpainter.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bbe1d9c3b29---jibixofebitukez.pdf
- https://feedproxy.google.com/~r/Uplcv/~3/3CAf4wW3hvY/uplcv?utm_term=principles+of+scientific+management+by+taylor+pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000caca.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xCACA | 16792 bytes |
font_01_sfnt_off0000e2dc.bin82031bd295327cbbc51ec9a52fabdc56183b6901b1931a6ee25cf871434bec38 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE2DC | 16912 bytes |
font_02_sfnt_off00010ea5.bin55849d0baca14dbdeb9bd35445af36e1f25054ece34e6e14b35967222c3e706c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10EA5 | 11220 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.