MALICIOUS
204
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
This PDF document was flagged by a machine learning classifier as malicious and also detected by ClamAV as a phishing trojan. It contains numerous links pointing to compromised WordPress sites, likely serving as a link farm to host malicious files. The document's content and heuristics suggest it is designed to trick users into downloading a password-protected archive, a common tactic to bypass security filters.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 8
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://irlanc.ru/uplcv?utm_term=studio+one+4+professional+crack PDF link annotation
- https://emergent-partners.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a48fc3314e5---risenifagujatixunow.pdfIn PDF document text
- https://wscnaturalhealings.com/wp-content/plugins/super-forms/uploads/php/files/8f89787135b4e91d543f539795aca322/raminevakomi.pdfIn PDF document text
- https://www.accidentinjuryalbuquerque.com/wp-content/plugins/super-forms/uploads/php/files/b75lhku8if3fdqgd8euggqvns9/wuganeguwexekunizawereb.pdfIn PDF document text
- http://www.franklinwebdesign.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609e01afeb243---34185160558.pdfIn PDF document text
- http://www.meglobalinc.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/1608ae6aada37a---21212285367.pdfIn PDF document text
- https://drmiamiconnect.com/wp-content/plugins/super-forms/uploads/php/files/cf0d47fbe0082b020e68e68a207772b8/31505085266.pdfIn PDF document text
- https://ewms.vn/wp-content/plugins/super-forms/uploads/php/files/dcedjl98jgt66hu93embt55n0f/63601658217.pdfIn PDF document text
- http://www.next-conseil.fr/wp-content/plugins/formcraft/file-upload/server/content/files/160c5bd91102c2---bofotu.pdfIn PDF document text
- http://www.adatechotomasyon.net/wp-content/plugins/formcraft/file-upload/server/content/files/160b446da5f47b---4463449584.pdfIn PDF document text
- https://www.davinci.dk/wp-content/plugins/formcraft/file-upload/server/content/files/1609a86a197b81---40009829437.pdfIn PDF document text
- https://apparel.allianceflooring.net/wp-content/plugins/super-forms/uploads/php/files/a67a8be06e6939e7ac97a5d922203260/guvijanumed.pdfIn PDF document text
- https://www.chauffeur-prive-nice.fr/wp-content/plugins/formcraft/file-upload/server/content/files/160962cf8d8ad7---82998585774.pdfIn PDF document text
- https://www.pfgpartners.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1609edcb61dce8---xenaturutubatubipisuze.pdfIn PDF document text
- http://domeinbeverdonk.be/assets/files/file/48627616524.pdfIn PDF document text
- http://shmountaineering.co.uk/wp-content/plugins/super-forms/uploads/php/files/1qfjfa42kmfei5l83oakilrov3/xisizigaji.pdfIn PDF document text
- http://globaltruthmediagroup.com/clients/a/aa/aa8380eac451876ae6ab993bf3a720d6/File/62352897020.pdfIn PDF document text
- https://glowskincare.net/wp-content/plugins/super-forms/uploads/php/files/65ac0a01f6a865968a4ce72c868a5f1b/nuwomuk.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f3eb.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF3EB | 5404 bytes |
SHA-256: bc1b8421b7e4b757c88473f34360827267033be92f1d975fe25646b2e9f5b72b |
|||
font_01_sfnt_off00010665.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10665 | 10568 bytes |
SHA-256: aa011c2fea0d79d9e3914a5cb311691bcbbe0e3e3c658ef2e332631dea027e52 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.