MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
This PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a phishing or trojan payload. It contains a link farm with numerous URLs pointing to compromised WordPress sites, likely intended to redirect users to malicious content. The presence of multiple PDF_SEO_DISPOSABLE_LINK_FARM and PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM heuristics further supports the malicious intent of distributing links.
Machine Learning
- Nyx PDF Classifier malicious score 0.9992
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://famcareconnect.org/wp-content/plugins/formcraft/file-upload/server/content/files/160c74c2ef32e3---54927571773.pdf
- http://brenno-tojestto.pl/userfiles/file/xedukunenajog.pdf
- http://totaleclipsenv.com/wp-content/plugins/formcraft/file-upload/server/content/files/16074a448e0ddb---94175607404.pdf
- http://phuquytravel.com/nguyenvanlinh/files/79416575195.pdf
- https://pharma-tools.eu/galeria/file/vodilifakonamapujudega.pdf
- http://seibyou-koujien.com/files/files/jasumujavok.pdf
- https://www.hintonassociates.com/wp-content/plugins/super-forms/uploads/php/files/e4e7c0feabe1e8621a1921da975bde80/93324199334.pdf
- https://seataclighting.com/wp-content/plugins/super-forms/uploads/php/files/7b3863ed45d1bef2d7f1f22d2aad3c8c/6785265422.pdf
- http://the100voicesofgospel.de/fichiers/newsletter/file/71051512610.pdf
- http://www.theagentpipeline.com/wp-content/plugins/formcraft/file-upload/server/content/files/16090655d0b896---wupifazemikefiwigegu.pdf
- https://aterhesseg.com/up_image/file/59300405234.pdf
- http://warraichmeats.com/wp-content/plugins/formcraft/file-upload/server/content/files/160887b24304b8---95767628420.pdf
- https://auto826.com/uploads/files/jotazowegawozozomew.pdf
- https://boldvision.tv/wp-content/plugins/formcraft/file-upload/server/content/files/16082c79916b37---83837870255.pdf
- https://haps.company/wp-content/plugins/super-forms/uploads/php/files/auh81pceaglmukikl5f2r0lpf1/8921130229.pdf
- https://lightspec.com/wp-content/plugins/super-forms/uploads/php/files/61fdbba8fe36d9e0753b7236333fcae4/watijowexajitumigixofutav.pdf
- https://dtcprojects.com.au/wp-content/plugins/super-forms/uploads/php/files/pf0c49ukvoje368a6bair4a16v/debisesozobizoribewubam.pdf
- http://acmemask.com/upfiles/editor/files/25681126564.pdf
- https://www.hdontheroadnapoli.it/wp-content/plugins/formcraft/file-upload/server/content/files/1607fd32ae4330---nipulisowizonirikilokawu.pdf
- http://2girlstrippin.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b80639078a4---58232613384.pdf
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/Om9ozkHLxGw/uplcv?utm_term=pokemon+mystery+dungeon+explorers+of+sky+ending
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000d9da.bin750b7fdc669bdc45af127144afb29a5b79e8662b0fc6479c3164c0a92a71a13f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD9DA | 11088 bytes |
font_01_sfnt_off0000f388.bin99847605a26ecd2b2b06f02feb510dd3ee130f5c71ce42a82ade63f6d79fe3ea |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF388 | 17532 bytes |
font_02_sfnt_off0001216e.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1216E | 16792 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.