MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF contains numerous links to external sites, many of which appear to be compromised WordPress installations used for hosting malicious files. The 'SE_PASSWORD_ARCHIVE_LURE' heuristic indicates the document likely provides instructions to decrypt an archive, a common tactic to evade gateway security. The ML classifier and ClamAV detection strongly suggest malicious intent, likely to deliver a second-stage payload.
Machine Learning
- Nyx PDF Classifier malicious score 0.9822
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://pistant.ru/uplcv?utm_term=how+to+get+free+robux+without+password PDF link annotation
- https://www.sanier.pl/wp-content/plugins/super-forms/uploads/php/files/q1t8k7rmq9sl9me76nlupqcrbn/90526441516.pdfIn PDF document text
- http://etasystem.net/userfiles/files/pinukokevowufusibejeduk.pdfIn PDF document text
- http://vitanova-cattery.com/upload/file/23813072727.pdfIn PDF document text
- https://mebelpozakazu.ru/wp-content/plugins/super-forms/uploads/php/files/b8199fa42a44d85442ea973bb5332b3f/dejaxoweloxujisunerame.pdfIn PDF document text
- http://ajivikafinance.com/userfiles/file/65292348546.pdfIn PDF document text
- http://discarga.com/wp-content/plugins/formcraft/file-upload/server/content/files/160748791258a2---85987282324.pdfIn PDF document text
- http://associacaoguainumbi.org.br/wp/wp-content/plugins/formcraft/file-upload/server/content/files/1608e51c04735d---rokexowolirilam.pdfIn PDF document text
- http://yuseigachi.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1607d607de8048---rodokazibitegutetefejob.pdfIn PDF document text
- https://webtraffic.ch/wp-content/plugins/super-forms/uploads/php/files/mcuu8ue4hdrpb2pfsvedqmmc2u/21703130641.pdfIn PDF document text
- http://ozhelalikram.de/resimler/files/40560709600.pdfIn PDF document text
- http://forter.vn/hinhanh/file/tiroromunoleta.pdfIn PDF document text
- https://nadamasristorante.it/file/gebixelimosofat.pdfIn PDF document text
- https://www.helpagesl.org/wp-content/plugins/formcraft/file-upload/server/content/files/16090d3f3dc81e---tigarasejebevurevanodod.pdfIn PDF document text
- https://www.engltg.com/wp-content/plugins/super-forms/uploads/php/files/5fef04bb1a5a043a42cad8e76cb1f950/pisamikidadadegulewase.pdfIn PDF document text
- http://www.sarajevo-inn-grunewald.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ad16b601115---1326083004.pdfIn PDF document text
- http://constructionone.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1608d07126168d---nikubexasem.pdfIn PDF document text
- http://premiumresourcing.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608303fabdd39---bodowikofu.pdfIn PDF document text
- https://eandjfamilyhealthcenter.com/wp-content/plugins/super-forms/uploads/php/files/2ad39a88fc65e106272466a2afb17ece/komebomipepovi.pdfIn PDF document text
- http://maslatalaia.com/userfiles/file/lofurulotaxasalujigedam.pdfIn PDF document text
- http://extintoresorigen.com/images/editor/gepigi.pdfIn PDF document text
- https://audit-advisers.com/userfiles/file/39224210050.pdfIn PDF document text
- http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b4d4c210637---29454935674.pdfIn PDF document text
- http://malagi.pl/user-files/fck/file/36116519866.pdfIn PDF document text
- http://birzebbugastpetersfc.com/files/file/61488638993.pdfIn PDF document text
- https://weblative.com/wp-content/plugins/super-forms/uploads/php/files/9rf8ibcj916lhd1l58gj0tuan0/3872677349.pdfIn PDF document text
- http://englandmatchshirts.com/assets/file/54631581698.pdfIn PDF document text
- http://kcobafl.org/ckfinder/userfiles/files/40408545056.pdfIn PDF document text
- https://madopin.com/calisma2/files/uploads/kixibani.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00010c92.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10C92 | 18036 bytes |
SHA-256: 85ba021e7d5d2b1b87758a01ec76e86d84324afef1ea8e0d0fd92115fba62e56 |
|||
font_01_sfnt_off00013bb8.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x13BB8 | 11044 bytes |
SHA-256: 0b100eb7e4fd066b62e017b9f9ee320c256f2b368f8a8ec9279da54fce93fb64 |
|||
font_02_sfnt_off0001553a.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1553A | 16792 bytes |
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.