MALICIOUS
144
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
This PDF file contains numerous links, many of which point to compromised WordPress installations or disposable hosting, suggesting a link farm designed to distribute malicious content. ClamAV detected this file as a phishing trojan, indicating a high likelihood of malicious intent. The embedded links likely serve as a delivery mechanism for further exploitation.
Machine Learning
- Nyx PDF Classifier suspicious score 0.4208
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Clickable URI points to raw IP address medium PDF_URI_IP_LITERALPDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://vervesimuhub.com/userfiles/file/sofinikezivo.pdf In PDF document text
- http://bonapartefamilynetwork.com/clients/7/7d/7d081654635712149502d88e72c54c2d/File/gurep.pdfIn PDF document text
- https://astefin.ro/ckfinder/userfiles/files/66577037995.pdfIn PDF document text
- https://www.solucionaesp.com/ckfinder/userfiles/files/78159409786.pdfIn PDF document text
- http://qwerty.pl/_data/file/45880706944.pdfIn PDF document text
- http://www.neslihanonur.com/wp-content/plugins/super-forms/uploads/php/files/e5b6209d5d78b9781ee5ed82dc052055/74856667660.pdfIn PDF document text
- http://lifestyleufa.ru/wp-content/plugins/super-forms/uploads/php/files/04bbaf7456a6841fdb763d0b305d7e19/monewivapibajaz.pdfIn PDF document text
- https://xn----7sbabak5acz7byau.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/b9e75ffd6e75ead22b120920dc1c46f0/77902028292.pdfIn PDF document text
- http://medica-brno.com/files/tuwosirurojotifupawuwa.pdfIn PDF document text
- http://104.156.58.56/~web2inbox/wp-content/plugins/formcraft/file-upload/server/content/files/160ec4feaaae67---96770460098.pdfPDF link annotation
- https://whiteplacard.com/UserFiles/file/jafemeriseguzudibipula.pdfIn PDF document text
- http://stadiumhighschoolclassof1965.com/clients/0/00/0080f9a3d0f10e930bcfc39f0a940e94/File/nobeliwinotudazogexeli.pdfIn PDF document text
- https://rrvchefs.com/wp-content/plugins/super-forms/uploads/php/files/f5b686d29cb16479dd205b48d0d8196c/nugevixizogu.pdfIn PDF document text
- http://visualpaint.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607ee4a8447bc---nulagunexirilisudozira.pdfIn PDF document text
- http://chinoboxingclub.com/clients/36032/File/negiwixumukedujunogafid.pdfIn PDF document text
- https://prikolnaya.com/wp-content/plugins/super-forms/uploads/php/files/c86727df4a77d9cf2e34a1560219d4f3/23887229387.pdfIn PDF document text
- https://babamore.com/upload/ckfinder_temp/files/20210614204231.pdfIn PDF document text
- http://xn----otbb6ahq3d.xn--p1ai/ckfinder/userfiles/files/ketedu.pdfIn PDF document text
- http://theffirm.com/userfiles/file/51483979964.pdfIn PDF document text
- http://www.johnknox.ch/wp-content/plugins/formcraft/file-upload/server/content/files/1608124e2b0003---74259019537.pdfIn PDF document text
- http://ailizia.com/userfiles/50657187756.pdfIn PDF document text
- http://constructionone.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160e2abe26079a---janewomudisoparafegivuxe.pdfIn PDF document text
- https://ckd-otto.com/contents//files/79930325249.pdfIn PDF document text
- https://www.crossfitparamaribo.com/wp-content/plugins/formcraft/file-upload/server/content/files/1611df7923d8a4---67258680093.pdfIn PDF document text
- https://feedproxy.google.com/~r/Uplcv/~3/BkSY9tpko7c/uplcv?utm_term=prisms+and+pyramids+worksheet+grade+6PDF link annotation
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e0d5.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE0D5 | 11256 bytes |
SHA-256: d95848f8697b987f05baee2563e42f30fe9982e02bf29c3c32fc3f2930fa2b62 |
|||
font_01_sfnt_off0000faea.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFAEA | 18600 bytes |
SHA-256: 5d43e4f398be27db2b2d6248995397ff4ed091b286dc58f9410c788935f84823 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.