MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF contains numerous links pointing to compromised WordPress sites, acting as a link farm. These links likely serve to obscure the ultimate destination and potentially deliver a malicious payload. The ML classifier and ClamAV detection strongly indicate malicious intent, classifying it as a phishing trojan.
Machine Learning
- Nyx PDF Classifier malicious score 0.9966
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://sandzak.best/wp-content/plugins/super-forms/uploads/php/files/642f46b5061b82bf41f5fc8bafb4a40c/41464056160.pdf
- http://braintradingbcn.com/wp-content/plugins/super-forms/uploads/php/files/00dea9616ed1bff4325417f4e1f43d94/fibabinigafi.pdf
- http://www.sevenchurchestour.net/seven/wp-content/plugins/formcraft/file-upload/server/content/files/160b66a2b7588a---87504116662.pdf
- https://soalmatematik.com/userfiles/file/zovegaz.pdf
- http://jgbt.us/pds/userfiles/files/24889153872.pdf
- https://topinsolventa.ro/userfiles/file/xuderudedimarisa.pdf
- https://vizzzio.ru/wp-content/plugins/super-forms/uploads/php/files/3859c121f490d6311cc50288918d3951/revudumugafidokugefiz.pdf
- http://aliglobshop.com/userfiles/file/2360753734.pdf
- https://wilsonbarrera.com/inicio/wp-content/plugins/formcraft/file-upload/server/content/files/160c79006dd76d---59820917201.pdf
- http://plenaadoracao.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1609ae1be19895---dipuloloma.pdf
- http://ngpsusa.com/wp-content/plugins/super-forms/uploads/php/files/v9g3s6t7p0rv98bedbol38c4ad/zuzarepoleneduxu.pdf
- https://www.novet.de/wp-content/plugins/formcraft/file-upload/server/content/files/1609e8eef3a302---78116967546.pdf
- http://franklcalabreseattorney.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/fepuriwidugefow.pdf
- https://arerp.kr/data/file///pufakusaliw.pdf
- http://www.itbaloch.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607d66dfc9527---76595105921.pdf
- http://adabaskimerkezi.com/upload/file/44704587782.pdf
- http://www.misshandicap.ch/wp-content/plugins/formcraft/file-upload/server/content/files/160c13d0b6e5f6---korotovobota.pdf
- https://sahyadrisevasanstha.in/userfiles/file/1027399385.pdf
- http://smartcookieacademy.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609d3d93199d7---zararamig.pdf
- https://hotelritariccione.it/wp-content/plugins/formcraft/file-upload/server/content/files/16085806016fb6---95874031739.pdf
- https://www.dekleinewerf.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160b0f11a2da51---41896619798.pdf
- http://www.commandinglife.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609ae34394238---76286570202.pdf
- https://feedproxy.google.com/~r/Uplcv/~3/FevRqgeaUVY/uplcv?utm_term=capable+of+being+persuaded
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00016089.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x16089 | 16792 bytes |
font_01_sfnt_off000178a0.bin8f52d53753bfe113bcf540e5de6fd7d09f91e76cd3366862008b59de89a784f7 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x178A0 | 10844 bytes |
font_02_sfnt_off0001914b.bin9dd05fbf7979f82a7baef4316ee1b232ae538ecfdb16e4efdc414507c2f5dcfe |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1914B | 17784 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.