MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file was flagged by multiple heuristics and an ML classifier as malicious, specifically as a phishing or trojan distribution attempt. It contains numerous links, many pointing to compromised WordPress sites or disposable hosting, suggesting a link farm designed to redirect users to malicious content. No scripts were extracted, but the structure and URL patterns indicate a phishing or malware delivery lure.
Machine Learning
- Nyx PDF Classifier malicious score 0.9974
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.putnamtaxi.net/wp-content/plugins/formcraft/file-upload/server/content/files/160b208aad6e34---naninegibinutevir.pdf
- https://camping-du-lac-dijon.com/fichiers/tixeme.pdf
- https://heatingboiler.ca/fck_upload/file/98392623409.pdf
- https://www.jahnigterbraak.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160f8cedab6cd1---mutawikosuvamatediximop.pdf
- https://stalbeckers.nl/userfiles/image/file/76875540702.pdf
- http://highlandcougars83.com/clients/2/26/268573c5102cd00412bac87cee9346ec/File/patut.pdf
- https://china-glass-mosaic.com/userfiles/files/20210730_071001.pdf
- https://123kozijnofferte.nl/wp-content/plugins/super-forms/uploads/php/files/cmqnoedfedhljbqr7hqibvpkg0/nogis.pdf
- https://nguoixunghekiev.vn/userfiles/file/46520196162.pdf
- http://voszveszprem.hu/_user/file/wizopobuwimi.pdf
- http://www.hcibatiment.fr/wp-content/plugins/formcraft/file-upload/server/content/files/1608185a058022---74075489385.pdf
- http://www.lavalledesign.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607563d3e4e64---80712531813.pdf
- https://beaumont-residence.com/wp-content/plugins/super-forms/uploads/php/files/ddakdaopnt2l5b76h10go6crah/31537774470.pdf
- http://provia-events.de/pics/fotos/1/file/mudaredasawugefidijebegoj.pdf
- http://easternsheep.by/app/upload/file/jekokavo.pdf
- http://clearlakesd.org/wp-content/plugins/formcraft/file-upload/server/content/files/16084b27b43349---witorix.pdf
- http://amako-ra.com/wp-content/plugins/super-forms/uploads/php/files/6cd9a1e7712e5868441e9e2c7322c571/tugonunovumeravikib.pdf
- http://gsprojekt.eu/userfiles/files/99157617527.pdf
- https://batikatravels.com/userfiles/file/14899088568.pdf
- http://longarmquiltacademy.net/fckeditor/userfiles/file/kaxanoviropotibenakala.pdf
- http://1000projects.ru/upload_picture/file/lemivoxado.pdf
- http://mko-yug.ru/wp-content/plugins/super-forms/uploads/php/files/3df12bfea7a99cd36c0c422d5c5606d5/vosebemuvuf.pdf
- https://www.superioreagle.com/wp-content/plugins/formcraft/file-upload/server/content/files/160f3caf511306---18898597555.pdf
- https://www.parkgest.ch/wp-content/plugins/formcraft/file-upload/server/content/files/1607577ab5a4fa---gibalemerupajixovikaw.pdf
- https://feedproxy.google.com/~r/skout/mBVl/~3/FevRqgeaUVY/uplcv?utm_term=how+to+pair+jvc+ha-a10t
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000efc5.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEFC5 | 16792 bytes |
font_01_sfnt_off000107dc.bind852569c645b2f110bb6ede1319b012f400ccf948fc0233e088138084e52d2c1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x107DC | 10500 bytes |
font_02_sfnt_off00011ff1.bin91648d9407a55b240a321ceeacf81cc1c1ecb3ca34b8a4248b1c20d6f5f8dbdf |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11FF1 | 16896 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.