MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
T1059.007 JavaScript
This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a phishing or trojan threat. The document employs a social-engineering lure, instructing the user to install a browser extension or update, a common tactic for credential theft or malware delivery. While no scripts were directly extracted, the presence of numerous external URLs, some hosted on compromised CMS platforms, suggests a potential for downloading further malicious content or redirecting users to phishing sites.
Machine Learning
- Nyx PDF Classifier malicious score 0.9655
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Browser extension / update installation lure high SE_BROWSER_INSTALL_LUREDocument tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://catamma.ru/uplcv?utm_term=pubg+stylish+text+generator+free PDF link annotation
- http://www.alfainstal.pl/wp-content/plugins/formcraft/file-upload/server/content/files/160a768703ce92---gufotogipedebavifaferipal.pdfIn PDF document text
- http://traditionsradio.com/wp-content/plugins/super-forms/uploads/php/files/mmp6epe6325lnv97a5rvkfkhr7/11625864781.pdfIn PDF document text
- https://orkhaconstruction.com/wp-content/plugins/super-forms/uploads/php/files/1novuvaglfu7pcd26u1r6bf2j1/50912927582.pdfIn PDF document text
- https://www.toptalentusa.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609eca98a8490---fagesiv.pdfIn PDF document text
- http://mwflower.com/upimagesfile/%5C/9357775397.pdfIn PDF document text
- https://robertmatzuzi-massagetherapist.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/16086716c192d7---binigugez.pdfIn PDF document text
- http://highendschmiede.de/highendfiles/file/puluputem.pdfIn PDF document text
- http://www.elitagida.com.tr/wp-content/plugins/super-forms/uploads/php/files/v9ickqg8fhe7mnouu0fje14pt0/289689178.pdfIn PDF document text
- http://www.unidacardoso.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16094f541769e2---jogigitubukujoseladuxo.pdfIn PDF document text
- https://gift-edu.ru/wp-content/plugins/super-forms/uploads/php/files/017d34a6300ca59e1829ce806e8782b1/8616664716.pdfIn PDF document text
- https://poolpoint.be/uploads/file/sabazipar.pdfIn PDF document text
- http://vincityhomes.vn/wp-content/plugins/super-forms/uploads/php/files/9js7eg9au5m3itgl27svvdnovm/1015645681.pdfIn PDF document text
- http://simonhoirup.dk/userfiles/file/23578440637.pdfIn PDF document text
- http://www.bridalchapel.com/wp-content/plugins/formcraft/file-upload/server/content/files/16098bad69ec88---84456541122.pdfIn PDF document text
- https://iamluno.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609ee48fb8b5b---pekitadilufolisij.pdfIn PDF document text
- http://www.gainerwindows.ca/wp-content/plugins/super-forms/uploads/php/files/2f3j7amqtlach9or3ah69371n0/xijonakamipatovuloziwen.pdfIn PDF document text
- https://ethiquedevelopers.com/wp-content/plugins/super-forms/uploads/php/files/41534f2cd167730dbe96ee3e8a23335b/gosumepisipewos.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.opentle.orgIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- https://savannah.gnu.org/projects/freefont/In PDF document text
- http://www.gnu.org/licenses/In PDF document text
- http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://www.gnu.org/licenses/gpl.htmlIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 8
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_003_off0001743e.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x1743E | 19296 bytes |
SHA-256: 77802585bb43938dc5aa0481215bbf509eaa1cc2fc65c5b70e1a78871d3b7807 |
|||
font_00_sfnt_off00012d7b.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12D7B | 24164 bytes |
SHA-256: e3d3ac704417b24a84ea5e16aab32b0d7717d0c44bbcba5a8109dc5d44e2c9e3 |
|||
font_02_sfnt_off0001b0cb.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1B0CB | 5340 bytes |
SHA-256: 78e9447c063168d71b0a930f6f1a0c121ed34e2bc757285fa8d237f11ac9da14 |
|||
font_03_sfnt_off0001c2f7.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1C2F7 | 1800 bytes |
SHA-256: a36eee06fef6ce219692c4ec918276ac99413e4fd1e3666e4031624f9289d620 |
|||
font_04_sfnt_off0001cb79.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1CB79 | 6496 bytes |
SHA-256: 54b0b25a1cbfad1762ba46ee740e7d9056ddcde7f9741f6300118e4c1a13b0a9 |
|||
font_05_sfnt_off0001dc32.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1DC32 | 25596 bytes |
SHA-256: e3ec639f05c97348c55a59992f0c69ca80b2b48a7b4962b83e7248f2f2e49b45 |
|||
font_06_sfnt_off00022747.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x22747 | 17220 bytes |
SHA-256: efe586e286e5b3a45ab2052ed1b5be97124835ff33e67fc6427b1097c99472b3 |
|||
font_07_sfnt_off000240aa.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x240AA | 6532 bytes |
SHA-256: e5497c6d5747e86dee6a23bc05e62f324d09b330836c6bccf5a8e83220deb0c7 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.