MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
This PDF document is identified as malicious by ML classifiers and ClamAV, indicating a phishing attempt. It impersonates Apple and directs users to a suspicious URL, likely to harvest credentials. The document also contains instructions to disable security software, further increasing its malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 0.9933
Heuristics 10
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Security software disable instruction high SE_SECURITY_BYPASSDocument instructs the user to disable antivirus or security software — unusual for ordinary documents and high-risk in an unsolicited file
-
Brand-impersonation credential phishing lure high SE_BRAND_CREDENTIAL_PHISHDocument impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: call-to-action link host does not match the impersonated brand: https://wastran.ru/uplcv?utm_term=baldi%27s+basics+unblocked+ipad.
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Urgency / deadline lure low SE_URGENCY_LUREDocument contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://wastran.ru/uplcv?utm_term=baldi%27s+basics+unblocked+ipad PDF link annotation
- https://rajatotogroup1.com/contents//files/xifugewaviwebaxibin.pdfIn PDF document text
- https://genesislighting.net/wp-content/plugins/super-forms/uploads/php/files/93c3e305fefbd71d392ba0e48632a4b3/30085029799.pdfIn PDF document text
- https://swimproject.eu/wp-content/plugins/super-forms/uploads/php/files/a6fb73129657d3a19b6110b2d2cacd68/51979588700.pdfIn PDF document text
- https://mobistore.co.nz/wp-content/plugins/super-forms/uploads/php/files/975d43201bc534d00a24bc0e5b03604c/wujaligomefokijipaj.pdfIn PDF document text
- https://proff-doors.ru/wp-content/plugins/super-forms/uploads/php/files/f7521729ea540089493fdec48e0f35aa/poposenuzubuwogez.pdfIn PDF document text
- https://maribon.net/app/webroot/files/userfiles/files/kedoloporubijisijezozam.pdfIn PDF document text
- http://pusancard.com/userData/board/file/93897230983.pdfIn PDF document text
- https://greenturtleproductions.com.au/wp-content/plugins/super-forms/uploads/php/files/c899075c09a3919f1e1f3cd104c8a12d/19164392182.pdfIn PDF document text
- http://symbioticlifetech.org/attfile/fckimg/file///202105142218_866390718.pdfIn PDF document text
- https://makemycake.gr/wp-content/plugins/super-forms/uploads/php/files/m3alk47v6lh3k67d45s98ba520/16973827214.pdfIn PDF document text
- http://sobinco.cz/ckfinder/userfiles/files/metojiguregaturovipave.pdfIn PDF document text
- http://asiadomainstore.com/userfiles/file/vofefebogikawinuzix.pdfIn PDF document text
- http://latexindia.com/userfiles/file/42788736514.pdfIn PDF document text
- https://cullinanconstruction.com/wp-content/plugins/super-forms/uploads/php/files/503shqndgfa4p4n62fpiif0c6f/bipexixufagerokaduda.pdfIn PDF document text
- https://www.comperat-89.fr/ckfinder/userfiles/files/gajogofedijigidubopoji.pdfIn PDF document text
- https://www.paparazzirestaurant.com.au/wp-content/plugins/super-forms/uploads/php/files/a8e02da4aa7ff86509e5d896c1ceed11/sititosobuv.pdfIn PDF document text
- http://zabradli-znerezu.cz/userfiles/file/tinakudesuk.pdfIn PDF document text
- https://www.lightingsolutionsal.com/wp-content/plugins/super-forms/uploads/php/files/43d46dfd3982e31fd9fd03a49868f82b/76652210402.pdfIn PDF document text
- https://jennysbooks.com/wp-content/plugins/super-forms/uploads/php/files/7fb966e97e2ade7d810f385b0d2f87d2/22068275463.pdfIn PDF document text
- https://majorsagilekvaros.hu/uploads/file/vumodinukiwixiwararinaxil.pdfIn PDF document text
- https://www.higher-energy-trampolineclub.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607713303ad9d---sefexipibekajep.pdfIn PDF document text
- https://gift-edu.ru/wp-content/plugins/super-forms/uploads/php/files/28d32c263e7622a31e2af5901f093987/37754618199.pdfIn PDF document text
- http://klinok-saintp.ru/files/gugoziwufodetipofide.pdfIn PDF document text
- https://dedywiredja.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c441d195a23---xijosuliv.pdfIn PDF document text
- http://intproplaw.com/admin/uploads/file/juxezupifafogemo.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000265ec.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x265EC | 16792 bytes |
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
|||
font_01_sfnt_off00027dfe.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x27DFE | 18728 bytes |
SHA-256: 6da12e368d96e190a755be5325b83c76c1da4e945738957cc195eb57a2dbede2 |
|||
font_02_sfnt_off0002afb6.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2AFB6 | 10728 bytes |
SHA-256: 68eb04b7f05b5002dd4e1756fb1b60b94f6b80922fb9e0d7b8a1b2840fdd10a9 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.