MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file was detected by ClamAV as Pdf.Phishing.Trojan and flagged by an ML classifier, indicating malicious intent. Heuristics reveal it functions as a link farm, with many URLs pointing to compromised WordPress sites and other potentially untrusted hosting. These links likely lead to phishing pages or further malware downloads.
Machine Learning
- Nyx PDF Classifier malicious score 0.5480
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://www.andyselfstorage.co.uk/wp-content/plugins/super-forms/uploads/php/files/s21j6nftcr6v9vl6egssurrs71/38709417831.pdf
- https://hospvetcentral.pt/site/upload/file/zivobagigopuba.pdf
- https://www.frankreich-ferien.ch/wp-content/plugins/formcraft/file-upload/server/content/files/1609fdfe9a4346---52942977205.pdf
- https://planet-for-events.de/userfiles/file/midarixusuraxopisinejo.pdf
- https://laihouston.com/wp-content/plugins/super-forms/uploads/php/files/b431e0f7d7a0373596ded16392fb7885/21816230074.pdf
- http://absigorta.com/E/file/zitoxalogowi.pdf
- http://geology.ie/wp-content/plugins/formcraft/file-upload/server/content/files/1606d11fd178c8---gepupexigozifusejoxafemiw.pdf
- https://kassa-evotor.ru/wp-content/plugins/super-forms/uploads/php/files/sahca859oddfngc4f5ll5qig2i/dukevenezoluwiguwuf.pdf
- http://uyaviation.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a1ea32b5666---13200180815.pdf
- http://tgtech-auto.com/userfiles/file/xemojipupiwunegokukufip.pdf
- http://www.blueoak.fr/image/file/74859558289.pdf
- https://www.chinacimctrailer.com/wp-content/plugins/super-forms/uploads/php/files/8cb44cba57f4306b4312f748a538f494/20144622402.pdf
- http://ateliergermain.net/sites/default/files/file/40706264125.pdf
- https://ols.lighting/wp-content/plugins/super-forms/uploads/php/files/c86d02c765051af3a8ecab459ae5b0df/wokojedakabikemulekuzeje.pdf
- http://krindustria.com.br/site/wp-content/plugins/formcraft/file-upload/server/content/files/1609cdee41bf4f---jinupeza.pdf
- https://velvetskin.pl/wp-content/plugins/super-forms/uploads/php/files/c594bec58e8326050f74e1c192ce4235/77907553098.pdf
- https://prosegik.com/wp-content/plugins/super-forms/uploads/php/files/8ec901844fce4cff5a4ef5e4d8972165/73173346248.pdf
- http://lowndes85.com/clients/d/d3/d39312ffd46aa2fbcc4e4de04d96a17f/File/32633130564.pdf
- https://gaseg.com/wp-content/plugins/super-forms/uploads/php/files/tphp2b45hujcq77ub4gkct6de8/lujefojugeroxozibuwel.pdf
- http://novussiteyonetimi.com/uploads/file/wenirupot.pdf
- http://casaatlantida.com/userfiles/file///masasededilatobuvik.pdf
- https://suhrsmad.dk/wp-content/plugins/formcraft/file-upload/server/content/files/1607d3bae8bd6e---72423627954.pdf
- http://rainbowcaterers.in/userfiles/file/gaxumalepavidixud.pdf
- https://feedproxy.google.com/~r/skout/mBVl/~3/S30rS-6n6vg/uplcv?utm_term=mod+hay+day+android
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_005_off00015b39.bina38e773295188bfd8c8f59d54d47a9e94ed9101c45e5935a558b1e70b329e690 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x15B39 | 31156 bytes |
font_00_sfnt_off00010065.bin7260c79de73370d7adcee58674fd55c60881d89229de01e45202d9fe1b92dbd0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10065 | 17068 bytes |
font_01_sfnt_off00012d19.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12D19 | 16792 bytes |
font_02_sfnt_off00014530.binc867f481697d504469f92c864b923b943c33cfde2cf38d975d6c49dc8172735c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x14530 | 10008 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.