MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains a link farm with numerous URLs pointing to compromised CMS uploads and disposable hosting, designed to trick users into downloading files. The presence of external URIs and a link farm structure strongly suggests a phishing or malware distribution attempt.
Machine Learning
- Nyx PDF Classifier malicious score 0.9835
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://smidgel.ru/uplcv?utm_term=download+zynga+poker+hack+apk
- http://ellev.fr/upload/files/83324421201.pdf
- http://villaturri.com/wp-content/plugins/formcraft/file-upload/server/content/files/160fb1f6981a70---53279531696.pdf
- https://oneremote.ru/wp-content/plugins/super-forms/uploads/php/files/5f05255fa04734b7fbb5dac57736b82a/97677303641.pdf
- https://www.generalutilities.com/wp-content/plugins/formcraft/file-upload/server/content/files/16098463852a7a---87416765820.pdf
- https://www.saenger-ohg.de/wp-content/plugins/formcraft/file-upload/server/content/files/160b3cccf3d6fc---91452323942.pdf
- http://nutronicltd.com/userfiles/file/tawinej.pdf
- http://studiogiovannone.com/userfiles/files/zaperag.pdf
- https://manuscripthandler.com/userfiles/file/38462954397.pdf
- http://ndt-tl.ru/upload/file/37582923369.pdf
- http://www.cuerpomenteyespiritu.es/wp-content/plugins/formcraft/file-upload/server/content/files/160cb0a19c5f77---42891070552.pdf
- http://kojeneckezbozi.eu/userfiles/file/zufugid.pdf
- http://cgt-fo-csc.fr/wp-content/plugins/formcraft/file-upload/server/content/files/160e68df9755b7---pitagevim.pdf
- http://www.mvdisposal.com/wp-content/plugins/formcraft/file-upload/server/content/files/16079ee06f1bd8---fapurosimepoguwivazebol.pdf
- http://www.medical-psychology.gr/wp-content/plugins/formcraft/file-upload/server/content/files/160bbc86403196---rujozaxomanoluro.pdf
- https://holocaustresearch.pl/nowy/photo/file/47371470538.pdf
- https://agilitynd.com/wp-content/plugins/super-forms/uploads/php/files/5dfdeeffa840821ef667a9f351899b97/suvodesimebadidariko.pdf
- http://fkjz.cn/upload/files/2021/06/202106290443113168.pdf
- http://choinka4x4.org/cms/files/file/74153301179.pdf
- https://seroinstitute.com/wp-content/plugins/super-forms/uploads/php/files/10c0c1bc32c47f20daecea7ab55dea25/nemabitipabelinugeja.pdf
- https://clumba-indoor.ru/files/files/suxebupizewiwagetanoj.pdf
- http://jyjwqj.com/uploadfile/file///2021061306435326.pdf
- http://www.pirac.org/wp-content/plugins/super-forms/uploads/php/files/423c5100cc5612cfff8de46570ac3fcb/24396519152.pdf
- http://trainternational.in/wp-content/plugins/formcraft/file-upload/server/content/files/160faca7929ac9---mumovupamanigenebas.pdf
- http://cableesmaltado.com/d/files/datofovevajuwimolup.pdf
- http://www.koeru.eu/failid/file/kekegamuwufedupevuku.pdf
- https://primewestelectrical.com/wp-content/plugins/super-forms/uploads/php/files/aacd0b776b6c4e7f52cd08fdd4c5fdf6/jufat.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000fd83.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFD83 | 16792 bytes |
font_01_sfnt_off0001159a.bincce760fc6923e188bb38cc7707c9fab9ccf8d467368f831427b57c5078f6a7e8 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1159A | 10788 bytes |
font_02_sfnt_off00012e46.bin3def558238381e5f0646b8871925895a3f548e7931d6277493946b39dfe4cbba |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12E46 | 17520 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.