MALICIOUS
134
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The sample contains embedded JavaScript, a common technique for malicious PDFs to execute code. The PDF also contains numerous external URIs, many pointing to compromised WordPress sites, suggesting a phishing or malware distribution lure. The ML classifier and ClamAV detection strongly indicate malicious intent, likely to redirect users to a malicious site for further compromise.
Machine Learning
- Nyx PDF Classifier malicious score 0.8755
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://infrive.ru/uplcv?utm_term=north+of+the+border+wiscasset+maine
- https://www.kasekimi.com/wp-content/plugins/formcraft/file-upload/server/content/files/16071e3cfccf6b---95775828793.pdf
- https://auf.vn/wp-content/plugins/super-forms/uploads/php/files/4t5b5lden0617m04h15sk1tsq3/59883002623.pdf
- https://www.cfo-search.com/wp-content/plugins/formcraft/file-upload/server/content/files/160cb96b67d56e---wetisoxuzutitozolut.pdf
- https://www.freshstartdigitalmarketing.com/wp-content/plugins/super-forms/uploads/php/files/49090f7f03d48a205bbfdc0dbbbe99c3/47999248759.pdf
- http://broadviewlibrary.org/uploaded_bvlib/file/23064133015.pdf
- https://gccpay.net/wp-content/plugins/super-forms/uploads/php/files/59b32a8eeb416df8f4258510d66206d4/88948083605.pdf
- http://unsersohn.ch/images/file/perokefo.pdf
- http://acetuitioncentre.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1607a1ba58d60d---7832118393.pdf
- https://ofertaromania.ro/ckfinder/userfiles/files/84128036142.pdf
- https://alignerco.com/wp-content/plugins/super-forms/uploads/php/files/fe4f3857fa96fa4e444c8872d191c7e9/29773109529.pdf
- https://senzedigicraft.com/wp-content/plugins/super-forms/uploads/php/files/0b4238ef43a611976c6ed76d8364d70a/pogitasoxezerunotelotew.pdf
- https://robertmatzuzi-massagetherapist.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160d20e75984c2---jisaduwedid.pdf
- http://stardentalcare.org/userfiles/file/nafuxobimelibewelovef.pdf
- http://www.oknookna.pl/wp-content/plugins/formcraft/file-upload/server/content/files/160af9ae7a4901---walafobedozem.pdf
- http://www.fullertherapy.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609c742de4915---38117050977.pdf
- http://www.lavalledesign.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c1f1553ec3d---72338800040.pdf
- https://chicagoportablexray.com/wp-content/plugins/formcraft/file-upload/server/content/files/160860e8810968---zutagurawewopur.pdf
- http://yomamasushitogo.com/uploads/files/jokof.pdf
- http://motoren-adachi.com/js/upload/files/89837403594.pdf
- http://www.recetasyconsejos.com/wp-content/plugins/formcraft/file-upload/server/content/files/16072fe13dbac8---27016385540.pdf
- https://nguyenthelong.net/userfiles/files/88515880060.pdf
- http://www.theagentpipeline.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d6a8f741d5e---rades.pdf
- https://grupo-bahia-real-estate.com/ckfinder/userfiles/files/74622983054.pdf
- http://emmanuelmissionarybaptist.com/clients/74938/File/nigupex.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00030bf6.bind253c2dfded7d7eff2d3d91672441e6601e25567bb805fe6b97e12dad3417933 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x30BF6 | 11620 bytes |
font_01_sfnt_off00032eae.bined46202649919385a44fdaceaee6b1787db57e42e048e0ff9a8147395a4ade0a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x32EAE | 21368 bytes |
font_02_sfnt_off0003659d.binbaac18e3908d2610b8696171ff0bba7ca6e0b083dbc82f2bac698c64e873c253 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x3659D | 10900 bytes |
font_03_sfnt_off00037eb8.bina493cf14d42598d256b41302b6b737aafa7e6b0f151a2977567a5726682abbae |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x37EB8 | 16112 bytes |
font_04_sfnt_off0003940d.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x3940D | 16792 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.