MALICIOUS
166
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains multiple links to external resources, many of which are hosted on compromised WordPress sites. The heuristic 'PDF_RANDOM_URL_LINK' and 'PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM' indicate a strong likelihood of malicious intent, likely to distribute further malware or conduct phishing. The ML classifier and ClamAV detection further support the malicious classification.
Machine Learning
- Nyx PDF Classifier malicious score 0.9969
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINKPDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://catamma.ru/uplcv?utm_term=inuyasha+full+episodes+english+dubbed PDF link annotation
- http://asesoriagarpe.com/wp-content/plugins/formcraft/file-upload/server/content/files/16078615728721---15064024822.pdfIn PDF document text
- http://www.kindytennis.com/wp-content/plugins/formcraft/file-upload/server/content/files/160940fba7e3ea---webikuzadaluvowazigiru.pdfIn PDF document text
- https://al-farh-iq.com/upload/userfiles/file/muvuxekinomawanana.pdfIn PDF document text
- http://ambulatorioveterinarioscapindandrea.it/userfiles/files/vezirevak.pdfIn PDF document text
- https://manuscripthandler.com/userfiles/file/donexatutasunidibarus.pdfIn PDF document text
- http://www.dj-csnl.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1607c353db4fcd---vupewomo.pdfIn PDF document text
- https://livingcircles.ch/wp-content/plugins/formcraft/file-upload/server/content/files/1609c0d687256b---fobupinesebomenogupames.pdfIn PDF document text
- https://webtraffic.ch/wp-content/plugins/super-forms/uploads/php/files/6s8pd2n8jhomieoh18d1sfokcf/fexevex.pdfIn PDF document text
- https://marciasmithconsulting.com/wp-content/plugins/super-forms/uploads/php/files/98a177f1c151811dc8405d3f122e8dac/vuwobixo.pdfIn PDF document text
- http://kulturazebrak.cz/userfiles/kabapinaw.pdfIn PDF document text
- https://kvgrup.com.ua/wp-content/plugins/formcraft/file-upload/server/content/files/160bf49be3bd8c---kamozepuriguw.pdfIn PDF document text
- https://fieldofgreen.com/wp-content/plugins/super-forms/uploads/php/files/80c69ce5e4de625b743637b3000b8f47/gisop.pdfIn PDF document text
- http://www.rolstoellift.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607e48f89c40f---53788482024.pdfIn PDF document text
- https://baodinhsolar.com/wp-content/plugins/super-forms/uploads/php/files/qv7d8pj12i7nr3epnhne06ggsm/42238932859.pdfIn PDF document text
- http://www.bewegeninarnhem.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1608ce7f6c5b27---katorifutenupo.pdfIn PDF document text
- http://kraljicabih.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606d3c43370ab---53781727287.pdfIn PDF document text
- http://www.mangareader.net/226/inuyasha.htmlWatchIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_004_off00016af5.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x16AF5 | 162852 bytes |
SHA-256: 0a982b4c272b6f4426cc0600c956cfe239b4dcfd004536e08456de5be82f34f7 |
|||
font_01_sfnt_off000348f0.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x348F0 | 5388 bytes |
SHA-256: 28bb7ab6a37a7242ac0b66b675acba2e3b967a2e6ca510d98217f135eb441547 |
|||
font_02_sfnt_off00035b4c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x35B4C | 11456 bytes |
SHA-256: c5a733ec360b2357a74fe0b1893a7efe42c7bf364abe4e964bbd0c7eef6c2c31 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.