MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file is identified as malicious by ML classifiers and ClamAV, indicating a phishing or trojan payload. It contains numerous links to external PDF files hosted on compromised websites, suggesting a link farm designed to distribute malware. The document body, though heavily obfuscated, implies a lure for downloading a specific PDF, aligning with a phishing attack pattern.
Machine Learning
- Nyx PDF Classifier malicious score 0.8271
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://www.fifatravels.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b24cd788bcb---gajiwid.pdf In PDF document text
- http://apexnepaltravel.com/userfiles/file/kamoguse.pdfIn PDF document text
- https://atraba-holding.com/userfiles/file/bibewigagogaduji.pdfIn PDF document text
- http://bscartridge.com/pic/lalizezuno.pdfIn PDF document text
- https://www.modianodesign.com/wp-content/plugins/formcraft/file-upload/server/content/files/160896128ec82c---didezaresivekiginel.pdfIn PDF document text
- https://www.traveltimevipp.com/wp-content/plugins/super-forms/uploads/php/files/1e3cb596b3c247d60d04700bf93e2277/81072035118.pdfIn PDF document text
- https://www.plsok.com/wp-content/plugins/super-forms/uploads/php/files/018d10e465077b5051eaf4da1c44a3da/pubiwuxajigufesopagoveni.pdfIn PDF document text
- http://www.kocay.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/160c122fe6368d---15383971611.pdfIn PDF document text
- https://www.mercedesbenzofaustinservice.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606f8860a0486---kagokaveguri.pdfIn PDF document text
- https://pinotcar.com/wp-content/plugins/super-forms/uploads/php/files/63f352a92fae70d0135f5ba7d83831f5/19439512506.pdfIn PDF document text
- https://www.cukoyem.com.tr/wp-content/plugins/super-forms/uploads/php/files/mcles3a40qp0ot6f4k2kq113k3/wukatepipapozinozo.pdfIn PDF document text
- https://diversified-nj.com/wp-content/plugins/super-forms/uploads/php/files/2c75d6ef3e79b9d2a85f710151262290/xisexumipedix.pdfIn PDF document text
- http://jeugdopdewetenschapsagenda.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1609c7fe3c5b28---gapofukijason.pdfIn PDF document text
- http://sieckultury.pl/wp-content/plugins/super-forms/uploads/php/files/d3b2dc93f9911f5786ac85125e4e00a5/50878376973.pdfIn PDF document text
- http://www.associatedomains.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607ca5c4360a6---besumesozog.pdfIn PDF document text
- https://noble-worldwide.com/wp-content/plugins/super-forms/uploads/php/files/351c658cf3308131cb7e0bd98b0fbdf8/warasexuw.pdfIn PDF document text
- http://alnoorcity.com/userfiles/file/71369337696.pdfIn PDF document text
- http://lilit-realty.com/wp-content/plugins/super-forms/uploads/php/files/mqlt196hpiirrrfqd80etpaqs6/8083223121.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://feedproxy.google.com/~r/skout/mBVl/~3/S30rS-6n6vg/uplcv?utm_term=elements+of+mercantile+law+nd+kapoor+pdf+downloadPDF link annotation
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000130f8.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x130F8 | 5200 bytes |
SHA-256: 2f285319a21bd1b3efeb030df54867109291ad8f0daf4598736c14ff5bccb221 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.