MALICIOUS
104
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF contains embedded JavaScript and multiple external URIs, many of which point to compromised CMS uploads or disposable hosting, indicating a link farm designed to redirect users. The ML classifier also flagged this PDF as malicious. The embedded JavaScript likely facilitates the redirection or further malicious activity.
Machine Learning
- Nyx PDF Classifier malicious score 0.9410
Heuristics 6
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
External URI info PDF_URIPDF contains an external URL action
-
PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILEDThe cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://abwjefferson.com/uploads/files/tulovabujizemadowizoza.pdf In PDF document text
- https://lanhcongnghiepthinhphat.com/upload/files/disifamig.pdfIn PDF document text
- https://otdelkamos.ru/wp-content/plugins/super-forms/uploads/php/files/a2c4f7caf865144099e76cab4f71eabf/fazozixu.pdfIn PDF document text
- https://metroguards.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/16120227e9b315---waxovupabefijinako.pdfIn PDF document text
- http://klingende-zeder.de/wp-content/plugins/formcraft/file-upload/server/content/files/16077ac4c3e8c9---85236146096.pdfIn PDF document text
- https://vmkstroi.ru/wp-content/plugins/super-forms/uploads/php/files/c75a5e3ab1ed5b030df6710d94c12716/61274492244.pdfIn PDF document text
- http://bellina.pl/userfiles/file/mewepufe.pdfIn PDF document text
- http://www.luminicaambiental.com/wp-content/plugins/formcraft/file-upload/server/content/files/160f358c79e7c2---gisejozebutovogumimijasat.pdfIn PDF document text
- http://ural-kip.ru/admin/ckfinder/userfiles/files/26456782217.pdfIn PDF document text
- https://consjurist.ru/uploads/files/58999380253.pdfIn PDF document text
- https://www.fifatravels.com/wp-content/plugins/formcraft/file-upload/server/content/files/160cbbcbca09a9---7893817976.pdfIn PDF document text
- http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c680f499254---84079612640.pdfIn PDF document text
- https://lightupalife.org.uk/wp-content/plugins/formcraft/file-upload/server/content/files/16077a170cba9d---rufafowipaxelevu.pdfIn PDF document text
- http://sip7.online/wp-content/plugins/super-forms/uploads/php/files/987a16fdc656cde3572119513d8c7ace/nozosemedoxanesizusu.pdfIn PDF document text
- http://hanboo.cn/Uploads/file/2021061111564770554.pdfIn PDF document text
- https://belgradenightlife.info/wp-content/plugins/super-forms/uploads/php/files/7c98se8qdr9vjle9cantpihlfe/27409175207.pdfIn PDF document text
- https://bonekarusa.com/contents//files/74868929613.pdfIn PDF document text
- https://bankkartya.hu/js/ckfinder/userfiles/files/riloziviloburozozeneto.pdfIn PDF document text
- http://slsnn.ru/content/file/nurubevenitu.pdfIn PDF document text
- http://www.champcaregivers.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606d3d5468034---nonowevu.pdfIn PDF document text
- http://jentretiens.ch/uploadimage/62779566718.pdfIn PDF document text
- http://finsura-lifedirect.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/16072f932501c8---14723194925.pdfIn PDF document text
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/3CAf4wW3hvY/uplcv?utm_term=afk+arena+best+itemsPDF link annotation
- http://lovewhereyoulv.wpengine.com/wp-content/plugins/super-forms/uploads/php/files/d1dcbf8b26761ca9f1352d5d5db1db06/99083001279.pdfIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00010417.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10417 | 10424 bytes |
SHA-256: 0b4419c6c627b0c976eb67e9e284908a7eb0ce36e23dc7c026cc92d6dcb41895 |
|||
font_01_sfnt_off00011bba.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11BBA | 20236 bytes |
SHA-256: 40a31670d4982ddbf690b2b8737addd7682df74144a37ecc57ebc8daed6c3166 |
|||
font_02_sfnt_off00015161.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x15161 | 16792 bytes |
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.