MALICIOUS
104
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
The ML classifier strongly indicates maliciousness, supported by heuristics identifying the PDF as a link farm pointing to compromised WordPress uploads and other disposable hosting. The presence of a visual download button lure further suggests an attempt to trick the user into downloading a payload. No scripts were extracted, but the overall structure and URL findings point to a downloader or phishing lure.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 6
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://frontlinetherapist.com/wp-content/plugins/super-forms/uploads/php/files/54f9321a08877bfaee25033ee1334403/47454276980.pdf In PDF document text
- https://www.servicioscalibrados.com/wp-content/plugins/super-forms/uploads/php/files/f452249b968fcbc16e71b7a36a802880/bijag.pdfIn PDF document text
- https://jodhpurtravels.com/nbloom/fckuploads/file/92631697104.pdfIn PDF document text
- https://www.swissfillon.com/wp-content/plugins/super-forms/uploads/php/files/4a76484c4ed45adf75a302641b2b5125/wekosidamepin.pdfIn PDF document text
- http://cleannshieldflorida.com/wp-content/plugins/super-forms/uploads/php/files/66eb5566eca2277a3ba229f407026fee/94623016301.pdfIn PDF document text
- https://agsposure.org/wp-content/plugins/super-forms/uploads/php/files/3fa10baf1516433f250c162a3a4ec952/97829310027.pdfIn PDF document text
- https://glasschneider.koeln/wp-content/plugins/super-forms/uploads/php/files/lhbqlrnk6teu90ufb1ij1hs0js/vabibiminux.pdfIn PDF document text
- https://veritiesinstitute.com/wp-content/plugins/super-forms/uploads/php/files/26d28bd3d36353320ed75d522f0ad7ec/geleviwotabese.pdfIn PDF document text
- http://bfr-bialapodlaska.pl/userfiles/file/reludijadopapiter.pdfIn PDF document text
- http://xn--e1aazeoc7d.xn--p1ai/images/shared/file/dudidufemap.pdfIn PDF document text
- https://angkortaxiservice.com/userfiles/file/jelid.pdfIn PDF document text
- http://www.northeastmarquees.com/wp-content/plugins/super-forms/uploads/php/files/35c59b743ae74afbcb33f1557243ca43/3191855092.pdfIn PDF document text
- http://ghalemdi.com/userfiles/file/xodimarefapotifodogubu.pdfIn PDF document text
- https://prikolnaya.com/wp-content/plugins/super-forms/uploads/php/files/472241bc30315984e1498c8971cd66f6/2177537251.pdfIn PDF document text
- https://susta.vn/userfiles/file/64277103936.pdfIn PDF document text
- http://adanateknikservis.web.tr/wp-content/plugins/formcraft/file-upload/server/content/files/1609f623af3386---31079444777.pdfIn PDF document text
- https://ballestermultiservicios.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607d53ee3e47a---lopifodovujezukukifirobo.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://feedproxy.google.com/~r/skout/mBVl/~3/A3Ryygt5BCM/uplcv?utm_term=java+properties+xml+file+formatPDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e28e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE28E | 5164 bytes |
SHA-256: ab3ab1bc3a735e7448f1839ffb615a836d8bc98be4f37c04ef2b7acc8bfcf9da |
|||
font_01_sfnt_off0000f41a.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF41A | 10568 bytes |
SHA-256: 5546199f457aeb1e6ca7e753ee407ccf5a492f4a0b367ea42a5d715f14afa10e |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.