MALICIOUS
204
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains an embedded JavaScript stream and numerous external URIs, many of which point to compromised CMS uploads or disposable hosting. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' indicates the document likely instructs the user to download a password-protected archive, a common tactic to evade gateway scanning. The ML classifier and ClamAV detection strongly suggest malicious intent, likely to deliver a second-stage payload.
Machine Learning
- Nyx PDF Classifier malicious score 0.9974
Heuristics 8
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://aeusjtu.pretty-match.com/upload/files/39943379182.pdf In PDF document text
- https://davidfoleyinc.com/userfiles/file/4011805151.pdfIn PDF document text
- https://www.zaantraining.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1613e4a8f657dc---37625156568.pdfIn PDF document text
- http://laboratoriologos.it/userfiles/files/29811498392.pdfIn PDF document text
- http://totaleclipsenv.com/wp-content/plugins/formcraft/file-upload/server/content/files/161445cdd8fed3---73408123831.pdfIn PDF document text
- http://wwm-quanta.com/upload/files/kewedorixurabaviw.pdfIn PDF document text
- https://atlasautoglass.com/wp-content/plugins/formcraft/file-upload/server/content/files/1612ff5b387189---xetogeliwiwisodoma.pdfIn PDF document text
- https://grandegroup.net/files/41471494734.pdfIn PDF document text
- https://sokolzgierz.pl/web/uploads/files/65526094979.pdfIn PDF document text
- https://implantsdentairesdesmoulins.com/upload/editor/file/95112858904.pdfIn PDF document text
- https://onderdurdu.com/upload/ckfinder/files/41791929489.pdfIn PDF document text
- https://kamber.dk/wp-content/plugins/super-forms/uploads/php/files/0ef263d93aa69123aa5cb58a276b3880/koxaxonizomikobajo.pdfIn PDF document text
- https://kaowei.tw/image/files/20210902_031628.pdfIn PDF document text
- https://mkting.com.co/wp-content/plugins/super-forms/uploads/php/files/1cf8d436ca525a6db434ed84c7b3ae33/mizojoxeg.pdfIn PDF document text
- http://garage-ys.info/js/upload/files/77045201116.pdfIn PDF document text
- http://malerbetrieb-malanders.de/Webseite/pics/fotos/1/file/kamipenilezogamunerivunel.pdfIn PDF document text
- http://ovartec.com/wp-content/plugins/formcraft/file-upload/server/content/files/1614259a938820---18050382522.pdfIn PDF document text
- https://fwstc.in/userfiles/file/wagoxexipolikoz.pdfIn PDF document text
- https://protum.se/file/38892525581.pdfIn PDF document text
- http://hanyangsteel.com/files/fckeditor/file/210444559261452f6e00966.pdfIn PDF document text
- https://www.ayersworthglen.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613e02bb79648---fogedixuvivepibidetidubef.pdfIn PDF document text
- https://conexus-study-abroad-travel.com/ckfinder/userfiles/file/nefopoxawenebagelog.pdfIn PDF document text
- http://gurgaontaxi.com/pa/trainstation/uploads/image/file/bowuxajififu.pdfIn PDF document text
- http://dtmaso.com/public_html/Imagens/file/42592348448.pdfIn PDF document text
- https://feedproxy.google.com/~r/skout/mBVl/~3/YTWXjIUwRh0/uplcv?utm_term=gta+for+ppsspp+androidPDF link annotation
- https://mediaget.com/userfiles/files/30656249154.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000df45.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDF45 | 17188 bytes |
SHA-256: e284897c85f3facd29982e555395213a73dd7b4b8240bcfc5602b1513c0eb877 |
|||
font_01_sfnt_off00010c0f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10C0F | 10352 bytes |
SHA-256: b10ee6070bb31f84a8a9b418abb2a22868be6d0ee2e321c91de3de7905f646aa |
|||
font_02_sfnt_off0001238e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1238E | 16792 bytes |
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.