MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The PDF file contains a large number of embedded URLs, many of which point to compromised WordPress installations. The ML classifier also flagged this PDF as malicious with high confidence. These URLs likely serve as a link farm to redirect users to malicious sites, potentially for phishing or to download further malware. No scripts were extracted from this sample.
Machine Learning
- Nyx PDF Classifier malicious score 0.9961
Heuristics 5
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://pfgmm.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1609b2715a0b38---bodunuxotofimijasufogiziw.pdf
- https://wecafephuket.com/wp-content/plugins/super-forms/uploads/php/files/kcnb1fgs59aiaqp2s2d6l108oq/sudobeketazozekade.pdf
- http://ecole.ru/text/images/file/5617644862.pdf
- https://galerieportelouise.be/userfiles/files/3278315726.pdf
- https://igruppe.no/ckfinder/userfiles//files/gijijoxarejoxonovig.pdf
- https://doellefjelde-mussemarked.dk/images/newsmail/file/36250085638.pdf
- https://www.baptistenhardenberg.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160c7a7ba167aa---zutevazilemolelipiwarolat.pdf
- https://costumeworld.com/wp-content/plugins/formcraft/file-upload/server/content/files/160efdef4081cd---53319328834.pdf
- https://retentionstudentexperience.com/wp-content/plugins/formcraft/file-upload/server/content/files/16092ebb914264---15968099623.pdf
- http://birons.net/wp-content/plugins/super-forms/uploads/php/files/5492bfc33d90dafb76b6e8635c2b0f7f/18347397153.pdf
- https://him-home.ru/wp-content/plugins/super-forms/uploads/php/files/25219d287c17eb9a6e6fdc8f813cded7/84543290730.pdf
- https://pfgmm.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160e63e92e7679---sodawuzarolimu.pdf
- https://www.tifdip.com/wp-content/plugins/formcraft/file-upload/server/content/files/16079750c35f39---jekafi.pdf
- http://inezorviskids.com/clients/37546/File/43088951722.pdf
- http://www.1atlanticfunding.com/wp-content/plugins/formcraft/file-upload/server/content/files/16079564fc687f---54557764880.pdf
- http://mouaumfb.com/wp-content/plugins/formcraft/file-upload/server/content/files/160cf5dadc94ed---38373362427.pdf
- http://modelkyujin.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607859d54b807---dodusi.pdf
- https://www.hotel-palladium.gr/wp-content/plugins/super-forms/uploads/php/files/od6aujjn2efg07vu3meprugce1/towixiraganajojosu.pdf
- https://regalcabs.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160858c67ea2a5---51034961786.pdf
- https://cullinanconstruction.com/wp-content/plugins/super-forms/uploads/php/files/d1ko33ggcs24apdn9918059cei/11372275060.pdf
- http://nicenpos.com/userData/board/file/22891963965.pdf
- http://miamiwars.pl/wp-content/plugins/super-forms/uploads/php/files/3f479eb6fab5e25871944d7579ff2ad7/tigikatoponemux.pdf
- http://banhangcongnghe.com/upload/FCK/file/xokivoxuneboropumi.pdf
- https://feedproxy.google.com/~r/skout/mBVl/~3/BkSY9tpko7c/uplcv?utm_term=my+god+he+can+move+the+mountains
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000184a1.bin97ed47998e39a11915e98bf4d3aa1e284926c6bae3805c89f74857f948d12c7a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x184A1 | 16708 bytes |
font_01_sfnt_off0001aff4.bin487a13cdb9e574ad9f207003e77f4b725579e94378170cd0421e22e9a4c3c6ca |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1AFF4 | 10944 bytes |
font_02_sfnt_off0001c8f4.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1C8F4 | 16792 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.