MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a link farm with numerous URLs pointing to compromised WordPress sites and disposable hosting, a common tactic for advance-fee scams. The heuristic 'SE_ADVANCE_FEE_SCAM_LURE' strongly indicates the document's intent to deceive users with fake prize or parcel delivery information. ClamAV also detected this file as a malicious PDF, reinforcing the assessment.
Machine Learning
- Nyx PDF Classifier malicious score 0.9835
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LUREDocument contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://123natura.com/stockages/files/xupafitomazekotixafeluti.pdf
- http://aqua4you.hu/userfiles/file/zinisiwagaxitekorovakaru.pdf
- https://concurs-euclid.ro/upload/fck/jafakojarinazuk.pdf
- http://htwy.com/upload/file/jutekaxilanixatakux.pdf
- http://telegid.tv/userfiles/files/gidevabunezasaxo.pdf
- http://www.driftime.ee/wp-content/plugins/formcraft/file-upload/server/content/files/16134afc4d9ab1---52536511385.pdf
- http://fobosgrunt.ru/files/ckfinder/files/80289629292.pdf
- https://rzfmuhasebe.com/userfiles/file/51040757208.pdf
- https://marcuspietrek.de/MARCUS/files/file/lefufazinuneratijenumodo.pdf
- https://www.caesarstravel.com/wp-content/plugins/formcraft/file-upload/server/content/files/16131fe313ed29---zudesi.pdf
- http://phuwangnam.com/user_file/file/91505521309.pdf
- http://sensitiva.fi/UserFiles/File/puxifokonabomuriluxu.pdf
- http://www.sarajevo-inn-grunewald.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613d1bbaed5f1---zujiba.pdf
- https://netcsemege.hu/ckfinder/userfiles/files/87712323823.pdf
- https://12shio3.com/contents/files/62393213628.pdf
- http://whatifitspossible.com/ckfinder/userfiles/files/13104501596.pdf
- https://doan295doson.vn/namthuan/images/news/files/zobuderokiburoma.pdf
- http://www.examnotice.in/uploads/files/23654709962.pdf
- http://findmealocalpainter.com/insurazon/admin/userfiles/file/sewiwope.pdf
- https://aspirecambodia-edu.org/userfiles/file/78642636150.pdf
- http://agataklimowska.pl/userfiles/file/vabukikoluwuduzejuzemo.pdf
- https://greenfins-thailand.org/uploads/file/3179928646.pdf
- https://cashofferoregon.com/wp-content/plugins/formcraft/file-upload/server/content/files/1614849fb1eebf---35067573963.pdf
- https://nordavril.com/userfiles/file/bifusavixuvudogereroranat.pdf
- http://mtcnx.com/upload/fckimagesfile/5886226486.pdf
- http://4998horo.gmmwireless.com/contents/files/7653378338.pdf
- https://feedproxy.google.com/~r/Uplcv/~3/1xuhb7AK25c/uplcv?utm_term=how+to+make+screen+bigger+on+android+phone
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f131.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF131 | 16792 bytes |
font_01_sfnt_off00010948.bined4ab2e59442307e8b91bf1012c048bf68837f66b4cdc279d6e842ef642b72f0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10948 | 11224 bytes |
font_02_sfnt_off000122fa.binda6625b33cf687683c8fe70bfa404410391bcbc3835b82cc9ed40c1c13e66f26 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x122FA | 18776 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.