MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
This PDF file was identified as malicious by ML classifiers and ClamAV, indicating it likely serves as a phishing or trojan delivery mechanism. The file contains a link farm pointing to multiple compromised WordPress sites, suggesting an attempt to lure users to malicious content or downloads. The presence of numerous external URIs and the PDF_SEO_DISPOSABLE_LINK_FARM heuristic further support its role as a distribution point for malware.
Machine Learning
- Nyx PDF Classifier malicious score 0.6966
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://brunoamaranti.it/wp-content/plugins/super-forms/uploads/php/files/h4bfjhbud84ggq0prpbeaje6e4/zapiwibajomajim.pdf In PDF document text
- http://caacoding.net/wp-content/plugins/formcraft/file-upload/server/content/files/160c3dd9619c65---tunolo.pdfIn PDF document text
- https://mission4recruitment.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607c55761a673---bimup.pdfIn PDF document text
- https://alsterparkett.de/wp-content/plugins/super-forms/uploads/php/files/ttv2q85s17bbiuim8lfdo4pj9n/47208686629.pdfIn PDF document text
- https://webmodeli.com/wp-content/plugins/formcraft/file-upload/server/content/files/16071df24f226c---lalutovuwak.pdfIn PDF document text
- https://www.jahnigterbraak.nl/wp-content/plugins/formcraft/file-upload/server/content/files/16090a6c1ba0c8---83837947240.pdfIn PDF document text
- http://ewhamd.net/upFiles/ckeditor/files/juwejasogugefopiposuris.pdfIn PDF document text
- https://reifenscho.de/wp-content/plugins/formcraft/file-upload/server/content/files/160b46c88c4ca2---68563701771.pdfIn PDF document text
- http://veraschwemmle.de/fckdata/file/86968680294.pdfIn PDF document text
- https://autosofortkauf.ch/wp-content/plugins/super-forms/uploads/php/files/5vmkeqa5peie51d87u8t6gperf/favawemunebibil.pdfIn PDF document text
- http://totalfinance.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1609c761b66c9c---wanopozilit.pdfIn PDF document text
- https://www.prestigeautobody.com.au/wp-content/plugins/super-forms/uploads/php/files/c659d2e307dbd2f9af10ef63b127d8cc/sebesobi.pdfIn PDF document text
- https://rffsev.ru/wp-content/plugins/super-forms/uploads/php/files/03193a82125d60c170709a8dc7e62960/bofofimodexewodin.pdfIn PDF document text
- https://rebates.forex/wp-content/plugins/super-forms/uploads/php/files/0ij62f19dsuastdr00ef0u66s2/41997295387.pdfIn PDF document text
- https://xistenze.com/files/files/dodowabolavizus.pdfIn PDF document text
- http://abwingssuffolk2.com/uploads/files/gafaxowuladoz.pdfIn PDF document text
- https://adlinefor.com/home/webagen/public_html/korn/data/file/zabisuzawajigu.pdfIn PDF document text
- http://www.skupp.pl/wp-content/plugins/formcraft/file-upload/server/content/files/160a3bd87d0524---91488522062.pdfIn PDF document text
- https://sharidendesignasphalt.com/wp-content/plugins/super-forms/uploads/php/files/a9604beff0126cc0ae35035faaff7f8d/joxamakifib.pdfIn PDF document text
- https://www.leeja.co.uk/wp-content/plugins/super-forms/uploads/php/files/d8ab47a462f886e730c550dd8875363d/lofilalinefisugetudu.pdfIn PDF document text
- http://soldearenales.com/galeria/files/wovewu.pdfIn PDF document text
- https://pinotcar.com/wp-content/plugins/super-forms/uploads/php/files/57d0f279b895f8ee4e7d1cf40d476831/kekuvodozu.pdfIn PDF document text
- https://feedproxy.google.com/~r/skout/mBVl/~3/1xuhb7AK25c/uplcv?utm_term=text+emoji+copy+and+pastePDF link annotation
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ea1e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEA1E | 10836 bytes |
SHA-256: 75e43cae439e9114f8e49b9ccdde97812bb93b3f5e570746174de9b6e958a7e1 |
|||
font_01_sfnt_off00010325.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10325 | 17404 bytes |
SHA-256: f7d818c846b4330f36c569b9e7bfc76134145f19a7ee6acdfcc5febe4fe04cc6 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.