MALICIOUS
164
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF contains embedded JavaScript and numerous external URIs, many of which are part of a link farm hosted on disposable domains. The ML classifier and ClamAV detection strongly indicate malicious intent, likely phishing or malware delivery through these links. The embedded JavaScript is a common technique for exploiting PDF vulnerabilities or initiating malicious actions.
Machine Learning
- Nyx PDF Classifier malicious score 0.9930
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://irlanc.ru/uplcv?utm_term=complete+gym+workout+plan+pdf
- http://jdhs77.com/clients/58520/File/pidadoragovegilagafijorod.pdf
- https://oddluzanie.net/userfiles/file/37297746048.pdf
- http://thoitrangvabaoho.com/Images_upload/files/koretoginilufogale.pdf
- http://www.melloecastro.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606cc19d651cd---58247848139.pdf
- http://houstontca.org/Content/uploads/files/76935610903.pdf
- https://akapacha.com/userfiles/file/96603790794.pdf
- http://southportrubbish.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606d273e3c4fd---pixikopipaped.pdf
- http://debsecond.net/UserFiles/File/kakal.pdf
- https://asiaviews.org/wp-content/plugins/super-forms/uploads/php/files/2qcir901aqj20klqau55b09kp5/gilukilotogosoba.pdf
- http://berbun.com/user_img/file/89076215120.pdf
- https://abofahed.com/userfiles/file/xukagurutudilemofapezode.pdf
- http://gagutp.com/sa_upload/userfiles/file/20210617213632.pdf
- https://bringem.de/wp-content/plugins/super-forms/uploads/php/files/89006c5190cd99113ced8a59d2d2ce29/15042518032.pdf
- http://fabrykakonwersji.pl/wp-content/plugins/super-forms/uploads/php/files/5ffecf09eb91a63e763cf2694fd9657b/nigog.pdf
- http://everest-c.ru/ckfinder/userfiles/files/11206274360.pdf
- https://www.sussexweddingservices.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160cc6cc344438---58757875557.pdf
- https://idea-web.ro/app/webroot/files/userfiles/files/29909321985.pdf
- http://es-umzuege-transporte.de/wp-content/plugins/super-forms/uploads/php/files/371d74f34d3f9a3c108d1031604454d2/81619918199.pdf
- http://maxtarget.by/ckfinder/userfiles/files/nirukefager.pdf
- http://szentistvanpatika.hu/upload/file/pemuvavozasizigadiganiz.pdf
- http://all-vehicle.net/js/upload/files/xesonobumanoxagupenebol.pdf
- https://temahr.hr/files/90438332596.pdf
- http://www.next-conseil.fr/wp-content/plugins/formcraft/file-upload/server/content/files/1611bedb120602---8531208884.pdf
- http://steclotildehorton.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1612d9eb035b0f---wuwubuxejakopubuwokaxugiw.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000eb39.bin430b0e5179306eb3e3972e9aedd4786b5db7d68820c43b59a3348d69c5caf018 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEB39 | 11004 bytes |
font_01_sfnt_off000104ad.bin736bad5b1f990d62aed4ecf6620ce51020afb900679dca4ee8c145c7c85029fb |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x104AD | 17192 bytes |
font_02_sfnt_off00011dd0.bine4f11b35546f7728a145e49af768d1ad63f995250d9a90a57492952602074006 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11DD0 | 17968 bytes |
font_03_sfnt_off00014c60.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x14C60 | 16792 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.