MALICIOUS
166
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
The file was detected as malicious by ClamAV and an ML classifier, and heuristics indicate it is part of an advance-fee scam. It contains numerous links to external PDFs hosted on compromised websites, suggesting a phishing or social engineering lure to download further malicious content. No scripts were extracted, but the presence of multiple malicious URLs points to a phishing campaign.
Machine Learning
- Nyx PDF Classifier malicious score 0.7846
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LUREDocument contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://oniceh.ru/uplcv?utm_term=intro+to+algorithms+3rd+edition+solutions+pdf
- https://alcc.vn/wp-content/plugins/super-forms/uploads/php/files/7e30b572iffk01525eadavrj60/mosaredetuf.pdf
- https://arenda1s.ru/wp-content/plugins/super-forms/uploads/php/files/f942163acd8c4890351260a1e965f997/72797161405.pdf
- https://izharfoster.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608f1480a3b62---gerigu.pdf
- http://www.auditsi.com/wp-content/plugins/formcraft/file-upload/server/content/files/16088d3ec17283---66741114802.pdf
- http://shuswapladystriders.ca/userfiles/file/4181178584.pdf
- http://www.nanodrywash.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b3c16201b24---62456017860.pdf
- https://wcdt.co.th/wp-content/plugins/super-forms/uploads/php/files/venjf8otq84eptl79fitod66g9/12042055479.pdf
- http://abaj.cz/UserFiles/File/53763116355.pdf
- http://www.alex-vasilkov.ru/images/wisdom/file/sewinevezisapokavixut.pdf
- https://kakvkusno26.ru/wp-content/plugins/super-forms/uploads/php/files/7b89db3ad3152720e4c0ce518e34fafc/77882359482.pdf
- http://call.ae/wp-content/plugins/formcraft/file-upload/server/content/files/1606d6ca09fa55---texenaxukedeputijopod.pdf
- http://villaturri.it/wp-content/plugins/formcraft/file-upload/server/content/files/160b143c5a0b06---34665015789.pdf
- https://expungemyrecordnj.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608da6d5b9896---93862101002.pdf
- http://arslanemlak.com/E/file/50031035070.pdf
- https://www.charityweiss.de/wp-content/plugins/formcraft/file-upload/server/content/files/1609badf4612ee---47188512830.pdf
- https://anfauglir.com/images/file/tovaz.pdf
- https://rubin2000-distribuitorshop.ro/userfiles/file/37196160842.pdf
- https://www.web2business.pt/wp-content/plugins/formcraft/file-upload/server/content/files/160c54315c9ae1---jijaxevapalusulubeku.pdf
- http://anhbanglaw.com/userfiles/file/49676513778.pdf
- http://2478.ru/admin/ckfinder/userfiles/files/luvarolukajanejulol.pdf
- http://3qbuy.com/CKEdit/upload/files/35880351445.pdf
- http://polskienarty.pl/data/aktualnosci_imgs/file/fifipiwelana.pdf
- http://adamlegal.com/userfiles/file/47138372728.pdf
- https://aawyx.com/sites/default/imageuser/file/suloborokexupope.pdf
- https://mavismanagement.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609dad5bb47dd---feganuwizagesabefisiku.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000b3c8d.bin0a9a4407852b0a823dbee905de5f78b7e34b8082dfdcf6eef872017f8dd05fa8 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB3C8D | 22864 bytes |
font_01_sfnt_off000b7add.bin06f4f129b584bfe9e3316fb6a0d54504d0ee6be8eae5788ae8d692b97b678f73 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB7ADD | 11168 bytes |
font_02_sfnt_off000b94a7.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB94A7 | 16792 bytes |
font_03_sfnt_off000bac90.bin3f2eb68e56e0cc9b24f861ad510cb196f24dbc520975aefba06cb0b93c7ac786 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xBAC90 | 1284 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.