MALICIOUS
216
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
This PDF document is identified as malicious by ML classifiers and ClamAV, and exhibits characteristics of a phishing lure. The critical heuristic 'SE_SECRET_RECOVERY_LURE' indicates the document's intent is to trick users into revealing sensitive recovery secrets or private keys. Numerous embedded URLs, many hosted on compromised WordPress sites or disposable domains, suggest a link farm designed to redirect users to malicious content or further phishing attempts.
Machine Learning
- Nyx PDF Classifier malicious score 0.9846
Heuristics 7
-
Recovery secret / private key request critical SE_SECRET_RECOVERY_LUREDocument requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://dream-mebel.com/pic/file/9599610179.pdf
- http://caacoding.net/wp-content/plugins/formcraft/file-upload/server/content/files/161324eee13789---kokifojiditemakilirolug.pdf
- http://www.luminicaambiental.com/wp-content/plugins/formcraft/file-upload/server/content/files/161377c754c990---lafifatojom.pdf
- http://mirembeestate.co.ug/wp-content/plugins/formcraft/file-upload/server/content/files/1612fe3d6066b2---7979672561.pdf
- https://nls.vn/upload/files/nozasus.pdf
- http://www.trisad.kz/ckfinder/userfiles/files/81618129923.pdf
- http://geonatlife.es/ckfinder/userfiles/files/36207330055.pdf
- https://e-motorcycle.tw/upload/emotorcycle/files/sibuwe.pdf
- http://www.garriagricola.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613a8460d3954---35721970762.pdf
- http://flamefitnessstudio.com/cewit/images/file/rufonusigafiz.pdf
- http://kientrucsangtrong.com/plus/files/xeruxamowonotavobu.pdf
- http://dar-tom.pl/userfiles/file/94467337039.pdf
- http://anthonyvienna.com/sites/default/files/file/numolasegopuzozasakadixak.pdf
- https://marikakozmetika.hu/editor_up/zogikexex.pdf
- http://e-sportis.com/images/upload/rupoxizis.pdf
- https://simovi.mx/wp-content/plugins/formcraft/file-upload/server/content/files/16138f9d19b4c6---kufaxipamojizijofo.pdf
- http://fese.in/ienupdimages/images/files/61263255508.pdf
- http://stfurnimart.com/file_media/file_image/file/39907649361.pdf
- http://websurin.net/UserFiles/File/28693915838.pdf
- http://konakelektrik.com/userfiles/file/69423488135.pdf
- https://immsac.pe/sgi_userfiles/userfiles/files/fejugifiwukexoxizejaze.pdf
- http://yummyschool.com/_UploadFile/Images/file/zedelokologoxezamaje.pdf
- https://kungfuclasshongkong.com/louis/taichi/ckfinder/userfiles/files/gufunokedugogoxasupigaxo.pdf
- http://wxhsbl.com/ckfinder/userfiles/files/20210905_161942.pdf
- http://automyjka.pl/automyjka.pl/userfiles/file/84639841326.pdf
- http://spielundlicht.de/content_provider/documents/files/26949859218.pdf
- https://feedproxy.google.com/~r/Uplcv/~3/FevRqgeaUVY/uplcv?utm_term=download+movies+on+phoenix+browser
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000dad2.bin33bd3a04218e967d2ed4c4f9bcc8ed2bab3dc7676da7ac4ec38c381ca1fd7bd5 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDAD2 | 16680 bytes |
font_01_sfnt_off000105d4.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x105D4 | 16792 bytes |
font_02_sfnt_off00011deb.bin3a905abd9ff12dd945602c1281e6cd4e1724d4e9bfe88d6523ef599945dea9b0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11DEB | 10952 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.