MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a link farm with numerous URLs pointing to compromised CMS upload directories, suggesting a phishing or redirection attempt. The ML classifier and ClamAV detection strongly indicate malicious intent, likely to lead users to malicious content or further compromise.
Machine Learning
- Nyx PDF Classifier malicious score 0.9949
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://interesttour.com/wp-content/plugins/super-forms/uploads/php/files/0ef9bdfe5ac987eed612ada2fd745a43/risunusixomefil.pdf
- https://alsterparkett.de/wp-content/plugins/super-forms/uploads/php/files/htohv5dlq5230ejmv5ncuogulk/lebunixozazisor.pdf
- http://brandiassociati.it/userfiles/file/bijajilubel.pdf
- http://mdbim.pl/ubezpiecz/obrazy/file/42472651307.pdf
- https://gk-termopanel.ru/wp-content/plugins/super-forms/uploads/php/files/812d62d46eb56b14815164c201b9a93c/guvajomuwiwamegajumujelo.pdf
- http://takeacode.net/user/d41d8cd98f00b204e9800998ecf8427e/file/81333705822.pdf
- https://path.mn/userfiles/files/zukesotu.pdf
- https://liniagdanskzydowo.pl/files/sajujeguzanig.pdf
- https://behagi.eus/files/galeria/files/xexizubifitafiv.pdf
- http://www.sensible-seeds-premium.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607ba47ec5224---wadixek.pdf
- https://aneri12.eu/res/file/74744686856.pdf
- http://delawaretravelmedicine.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608e67c6eb794---69040315988.pdf
- https://festival.bg/fckeditorfiles/file/guxewefegisumapo.pdf
- https://bistro-8.com/wp-content/plugins/super-forms/uploads/php/files/4417127174904cb66c5a1da7aa4711be/70889982571.pdf
- https://chefinhogourmet.com/wp-content/plugins/super-forms/uploads/php/files/0aebb70ca3475fa4a00f47d9ff2c606b/dujikukewe.pdf
- http://didaconcept.com/admin/fckeditor/file/mozifabadiginajexe.pdf
- https://alice-immo.com/userfiles/file/87797204123.pdf
- http://writtenmail.com/upload_images/file/86676240753.pdf
- http://gsoam.ge/wp-content/plugins/formcraft/file-upload/server/content/files/1606d10735ac18---66914557251.pdf
- https://afriqueitnews.com/wp-content/plugins/super-forms/uploads/php/files/ab4c1fe2b6c05448eaf282ddd50e18c9/81037621947.pdf
- http://irinaburmistrova.ru/files/topunamoxejunawok.pdf
- https://saftanton.dk/wp-content/plugins/formcraft/file-upload/server/content/files/160748ab124cf5---bajijusotojukuwepan.pdf
- https://ltgtrends.com/wp-content/plugins/super-forms/uploads/php/files/f9bf2e28b317887229238ff902c01206/pidiluxufuzad.pdf
- https://aguiapromocional.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160a2207b51a15---fewetefe.pdf
- http://vom-ragnaroek.de/uploads/file/4771444773.pdf
- https://feedproxy.google.com/~r/Uplcv/~3/PmAiG5ZyT-k/uplcv?utm_term=canonical+duplicate+content
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000d433.binf3530c7ad02981cd734ac878d8e38c6e6de4d3af2538f331827438b860e37e23 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD433 | 17072 bytes |
font_01_sfnt_off00010090.bin43d87d84b10c5d1aff80053c7135d91115f1ce26a599eb2a1fc8f9f9cdd43a0a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10090 | 10372 bytes |
font_02_sfnt_off0001181c.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1181C | 16792 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.