MALICIOUS
256
Risk Score
Malware Insights
MITRE ATT&CK
T1539 Steal User Data
This PDF document exhibits malicious behavior by employing a lure to trick users into revealing sensitive recovery secrets or private keys. The document also contains a 'clipboard command execution lure', suggesting it intends to guide the user to paste copied content into a command-line interface, likely to execute malicious commands. The presence of numerous links to potentially compromised CMS upload storage and disposable hosting further indicates a phishing or credential harvesting attempt.
Machine Learning
- Nyx PDF Classifier malicious score 0.9835
Heuristics 8
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Recovery secret / private key request critical SE_SECRET_RECOVERY_LUREDocument requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://plumcourse.com/wp-content/plugins/super-forms/uploads/php/files/e3144030a179a97c780b5b5954e53985/15097872551.pdf In PDF document text
- https://bodwellassociates.com/wp-content/plugins/super-forms/uploads/php/files/be877fb92cb6dc505cdf016864012a2f/jutozutani.pdfIn PDF document text
- http://whs1963.com/clients/7/75/758a827d59fb1c2827eec60421ffdc22/File/46859022799.pdfIn PDF document text
- https://asiabiru.com/contents//files/29136984003.pdfIn PDF document text
- https://alihuata.com/userfiles/file/masujuxaguzolovop.pdfIn PDF document text
- https://californiaoptionsrealestate.com/wp-content/plugins/super-forms/uploads/php/files/459e50215188931c8942194e3349abfc/kazase.pdfIn PDF document text
- https://www.asahinafunnels.com/wp-content/plugins/super-forms/uploads/php/files/kvf27e3tc5ut762tt7sk0fv2gh/20867030371.pdfIn PDF document text
- https://nam.it/wp-content/plugins/formcraft/file-upload/server/content/files/160abc0c51656f---fimiwikoja.pdfIn PDF document text
- https://123kozijnofferte.nl/wp-content/plugins/super-forms/uploads/php/files/1rf5krsqfngk8ltoavrtte4131/jifagukugezujalopek.pdfIn PDF document text
- https://phase1acoustics.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b1056908822---zewowetosiwanakuwogikofuf.pdfIn PDF document text
- https://detector-billetes.com/Imagenes/file/bafozetuguvit.pdfIn PDF document text
- https://nowackleverkusen.de/wp-content/plugins/formcraft/file-upload/server/content/files/160a1952e6a2b0---98405792495.pdfIn PDF document text
- https://www.idahomedia.com/wp-content/plugins/super-forms/uploads/php/files/5e9b8b142ede279314a76775a32ef4e2/36611635734.pdfIn PDF document text
- https://velvetskin.pl/wp-content/plugins/super-forms/uploads/php/files/bd64cef3f8cc6928de9ce1cd73616dd9/teruzitapifati.pdfIn PDF document text
- http://teerosy.com/ipp/images/uploads/files/lozawekigisofujebuwebef.pdfIn PDF document text
- http://prestopc.it/upload/file/wojuviwo.pdfIn PDF document text
- https://www.havanasalsa-dance-tours.com/wp-content/plugins/super-forms/uploads/php/files/231eabfe29f29f617fb69b85acdba8b2/54666146384.pdfIn PDF document text
- http://cedresarquitectura.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b82a90e0952---55666365896.pdfIn PDF document text
- https://amalighting.com/wp-content/plugins/super-forms/uploads/php/files/a6a2e4f3b4edd34ab8281daf1f2f95bc/kelagezexemag.pdfIn PDF document text
- https://www.etbsupplies.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607788e224c9c---xurizimanobato.pdfIn PDF document text
- http://thefutureofgolf.eu/wp-content/plugins/formcraft/file-upload/server/content/files/160aac0d67c63d---21926027866.pdfIn PDF document text
- https://www.sabiamente.es/wp-content/plugins/formcraft/file-upload/server/content/files/16070aba972344---tewopomememuxavunezol.pdfIn PDF document text
- https://www.davidcosz.de/wp-content/plugins/super-forms/uploads/php/files/fkb5joba4v6s1sctmojqc9vrc3/99122035198.pdfIn PDF document text
- http://www.jhannahs.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b577a063c34---62771181715.pdfIn PDF document text
- http://noithattamphuong.com/upload/files/rorexetinadefoduwipobama.pdfIn PDF document text
- http://pocatellocampfire.com/wp-content/plugins/super-forms/uploads/php/files/el5mj5jkh2fajui5vo7h11uqb8/gurakixowurakokasafin.pdfIn PDF document text
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/BvfzZFkJO3s/uplcv?utm_term=arbitrage+trading+in+cryptocurrencyPDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f602.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF602 | 18476 bytes |
SHA-256: df37132709fd4cf129cf3e878e19b47b474233659408908652540bf6c8c2ce7e |
|||
font_01_sfnt_off00012620.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12620 | 16792 bytes |
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
|||
font_02_sfnt_off00013e37.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x13E37 | 10808 bytes |
SHA-256: ef3fdf16800f650a68af421d9e1381355567215993e76cfe502bc9b8f87fc75e |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.