MALICIOUS
190
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The PDF contains embedded JavaScript and multiple links to external resources, including a compromised WordPress upload. Heuristics indicate a social engineering lure to install a browser update or extension, coupled with a visual download button. This suggests the document is designed to facilitate the download and execution of a second-stage payload, likely a phishing or trojanized application.
Machine Learning
- Nyx PDF Classifier malicious score 0.6934
Heuristics 9
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Browser extension / update installation lure high SE_BROWSER_INSTALL_LUREDocument tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
SEO-redirector lure link (multi-word utm_term) low PDF_SEO_UTM_REDIRECTOR_LINKPDF contains a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the search-keyword gateway used by the 'free document download' phishing family. Surfaced as an IOC; on its own this is a low-confidence signal.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ragaz.co.za/XSRYdR1H?utm_term=chrome++for+android+4.+0.+3 PDF link annotation
- http://hagelkonzept.de/userfiles/file/losadukek.pdfIn PDF document text
- http://installmysolar.com/userfiles/file/40307387444.pdfIn PDF document text
- https://parokaonline.hu/upload/files/28305340411.pdfIn PDF document text
- http://ing-triplee.com/ckeditor/kcfinder/upload/files/96442578617.pdfIn PDF document text
- https://edu-mate.kr/_UploadFile/Images/file/sixosexajokudemodateni.pdfIn PDF document text
- https://lazdynumokykla.lt/userfiles/file/29576258550.pdfIn PDF document text
- https://erdenet.mn/userfiles/file/94887851406.pdfIn PDF document text
- https://webmodels.studio/wp-content/plugins/formcraft/file-upload/server/content/files/162043f12343ae---xuponenikowuzinexegokefar.pdfIn PDF document text
- http://lauffer.com.br/app/webroot/js/kcfinder/upload/files/kunuwas.pdfIn PDF document text
- http://foire-fromages-et-vins.com/wp-content/plugins/formcraft/file-upload/server/content/files/16203230382565---vulejug.pdfIn PDF document text
- http://sdtech-kh.com/kcfinder/upload/files/4114892933.pdfIn PDF document text
- https://companydemo.opusviewdev.com/app/webroot/js/image/files/suxova.pdfIn PDF document text
- http://atem.sciara.eu/public/upload/file/venakisebasilepapixexov.pdfIn PDF document text
- http://zekejozsef.eu/FCKfeltoltott/file/ruguxiwufiduvijalit.pdfIn PDF document text
- http://toys4boysleather.com/userfiles/file/98341373511.pdfIn PDF document text
- https://sukienmiennam.com/userupload/files/manubidewazura.pdfIn PDF document text
- http://runhouchem.com/upload/files/sejotusowijaxazejelaku.pdfIn PDF document text
- http://kammed.com/userfiles/file/24950631949.pdfIn PDF document text
- http://voyagerav.com/v15/Upload/file/2022311455247112.pdfIn PDF document text
- http://polipadel.com/userfiles/file/tajefefibivafirokesumo.pdfIn PDF document text
- http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/1621bd5896a42f---jazuvikunomagegoworo.pdfIn PDF document text
- http://pferdplus.at/sites/pferdplus.at/files/file/3549073877.pdfIn PDF document text
- https://thehideawayresortpattaya.com/userfiles/files/woxumoru.pdfIn PDF document text
- http://iabmbikaner.org/public/ckeditor/kcfinder/upload/files/58923850944.pdfIn PDF document text
- https://inks.bg/userfiles/file/nifowazagixovikepafokuso.pdfIn PDF document text
- http://ylpqzl.com/ckfinder/userfiles/files/zuwotebobizalu.pdfIn PDF document text
- http://yaqeen-eg.com/userfiles/file/kufivibunujez.pdfIn PDF document text
- https://kvizek.excore.hu/ckfinder/userfiles/files/zekekobig.pdfIn PDF document text
- https://imperialbroker.it/userfiles/file/pivefujadazasarejezamofi.pdfIn PDF document text
- https://www.xcelsus.de/wp-content/plugins/formcraft/file-upload/server/content/files/16222a72d46f55---wigenuxigomesidorat.pdfIn PDF document text
- https://alquimia.in/admin/fckeditor/editorfile/25482625571.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00049be9.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x49BE9 | 10776 bytes |
SHA-256: c14a8f392f529f8617b36e0ae64e6aad2736f8da635f928e08f7e0bda9a6e550 |
|||
font_01_sfnt_off0004b495.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4B495 | 16560 bytes |
SHA-256: 924ad5cb737cfd9a34472b2046831991df4d3950e5f0d7b552a18309318c2ee9 |
|||
font_02_sfnt_off0004cbb0.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4CBB0 | 21376 bytes |
SHA-256: 230c4b1d51143e9ece2ac2a7064b677abf7c7a7e4e760d77963829ca84e13a98 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.