MALICIOUS
104
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF contains embedded JavaScript and a link farm pointing to multiple compromised WordPress sites. These links likely serve as a lure to redirect users to malicious content or phishing sites. The ML classifier strongly indicated maliciousness, supporting the assessment of a phishing or redirection attack.
Machine Learning
- Nyx PDF Classifier malicious score 0.9956
Heuristics 6
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.opencalgary.org/wp-content/plugins/formcraft/file-upload/server/content/files/16087d5e58c5a7---busafukumu.pdf
- http://www.birapart.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ba18b6438f0---18337986017.pdf
- https://amalighting.com/wp-content/plugins/super-forms/uploads/php/files/db913e949cd846c352819d6449e116af/78402026807.pdf
- http://www.neslihanonur.com/wp-content/plugins/super-forms/uploads/php/files/9b1df586121810059371c3eaa6f13e1c/58835461859.pdf
- https://ecomassage.pt/wp-content/plugins/super-forms/uploads/php/files/q1kr3ol7qb7pqpcbtsgd5l9lml/besizojitemefepeninafij.pdf
- http://sincaremedicaltour.com/js/upload/80881937292.pdf
- https://sellos-mecanicos.com/wp-content/plugins/super-forms/uploads/php/files/ee24ceadb135ec77ce57b81b1ec1c958/83646562265.pdf
- http://gpe-el.pro/ckfinder/userfiles/files/61464093819.pdf
- http://hublihorse.com/uploads/userfiles/files/93865503392.pdf
- http://palyavalaszto.hu/teszt/upload/file/kitebexufitimi.pdf
- http://plenaadoracao.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160c8ae38be84a---55669101215.pdf
- http://philippinesroadshow.com/wp-content/plugins/super-forms/uploads/php/files/cf5bf35554787bee93f838797c671c3f/ripamikagenekopemun.pdf
- http://www.sunarmisir.com.tr/wp-content/plugins/super-forms/uploads/php/files/j3uo0h6dg4cecmi2591gie4ps5/tolegedukegew.pdf
- https://espiber.cl/images/uploadedimages/file/kuxupabujoxomosabe.pdf
- https://luxartparquet.com/wp-content/plugins/super-forms/uploads/php/files/16d13f15b5e1bd4c1c4d6470a63884ca/vedikedi.pdf
- http://24cvety.ru/upload/files/22931075651.pdf
- http://polskienarty.pl/data/aktualnosci_imgs/file/jalosinogipiworalotu.pdf
- http://mfplus.ba/wp-content/plugins/formcraft/file-upload/server/content/files/1609df8b92e786---gipunipirigavasutixol.pdf
- http://aftckwt.com/uploads/file/14091543700.pdf
- http://www.sparkprototypes.com/wp-content/plugins/formcraft/file-upload/server/content/files/16087c3c3c4ac6---14775836688.pdf
- https://www.superioreagle.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a4ae328c726---tonagufiz.pdf
- https://perleyparish.org/wp-content/plugins/super-forms/uploads/php/files/fe6da97a0543b6fd579fe2a88ef7f17a/50269775900.pdf
- http://famcareconnect.org/wp-content/plugins/formcraft/file-upload/server/content/files/160ac4e0bcf754---53121405768.pdf
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/S30rS-6n6vg/uplcv?utm_term=great+pyrenees+claws
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e772.binbbe9ab608c84c618208d27a8df2b5731bb253ef21281849ce53d5079de048b0b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE772 | 10396 bytes |
font_01_sfnt_off0000ff36.bin4a337ccba23a361044e2179932f9efbce14d821b5af871c30e21030383306971 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFF36 | 17000 bytes |
font_02_sfnt_off00012b47.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12B47 | 16792 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.