MALICIOUS
64
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The PDF file contains a large number of external URIs, many of which point to compromised websites or disposable domains. This behavior is indicative of a link farm designed to redirect users to potentially malicious content. The heuristics suggest the document is a link farm on disposable hosting, with links pointing to compromised CMS upload storage.
Machine Learning
- Nyx PDF Classifier suspicious score 0.4746
Heuristics 4
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://queure.ru/uplcv?utm_term=cleft+lip+and+palate+definition PDF link annotation
- http://americansemitruckparts.com/d/files/42481428771.pdfIn PDF document text
- http://fernandopelosini.it/userfiles/files/77848997541.pdfIn PDF document text
- http://ilovemynewstemcells.com/clients/865932/File/26747976734.pdfIn PDF document text
- http://iqlacpro.vn/emotive/upload/files/pikulejovunukokiperatubeb.pdfIn PDF document text
- https://www.mercedesbenzofaustinservice.com/wp-content/plugins/formcraft/file-upload/server/content/files/160704e13342fb---88562563829.pdfIn PDF document text
- https://spaslask.pl/wp-content/plugins/super-forms/uploads/php/files/j9e2hts8h21cc3cgriefpiuevj/22446879713.pdfIn PDF document text
- https://mgs-on-track.com/uploads/misc/files/fametizowemulirepeladir.pdfIn PDF document text
- http://sinoorchids.com/image/file/14488772339.pdfIn PDF document text
- http://flexa.cz/docs/file/98804147746.pdfIn PDF document text
- https://inchiriereelicoptere.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160af77a97e105---vatasomabefarugid.pdfIn PDF document text
- http://aliancegroup.su/wp-content/plugins/formcraft/file-upload/server/content/files/160f97a8f6bb99---nosoleduramanexuru.pdfIn PDF document text
- https://alfa-pechati.ru/wp-content/plugins/super-forms/uploads/php/files/8ddcf659f25059a3dc51372abb8828f7/18282287576.pdfIn PDF document text
- https://clubsecurite.fr/webroot/upload/files/benax.pdfIn PDF document text
- https://gift-edu.ru/wp-content/plugins/super-forms/uploads/php/files/d81a9f7b9cad6039b524ff4446484c15/6556149139.pdfIn PDF document text
- http://tbm-mova.by/images_from_html_editor/file/dozagevatawanip.pdfIn PDF document text
- https://indacphuc.com/wp-content/plugins/super-forms/uploads/php/files/pdhsd0tlor5tv1eaps84do5qll/69912099593.pdfIn PDF document text
- http://erbilsunhotel.com/wp-content/plugins/super-forms/uploads/php/files/u8beab99821rl6c365pbmunha3/bitepibenefibuwob.pdfIn PDF document text
- https://transcendenceit.com/wp-content/plugins/super-forms/uploads/php/files/5db04763dcad686f6cfa0858e4996cf2/nutimutosizolenomitirozed.pdfIn PDF document text
- http://savoie-outils-coupants.com/ckfinder/userfiles/files/6771896174.pdfIn PDF document text
- http://yuseigachi.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160d248d4e1403---lafamuwivovapuf.pdfIn PDF document text
- https://b2cexpressdemo.com/userfiles/file/2325774716.pdfIn PDF document text
- http://www.marsagri.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c59dadd3174---97165717015.pdfIn PDF document text
- http://sahrugs.com/userfiles/file/zomezoxosemipiruv.pdfIn PDF document text
- https://makemycake.gr/wp-content/plugins/super-forms/uploads/php/files/tr7gjkkj5ujn35ajd1727r8cke/8725535971.pdfIn PDF document text
- https://finestblogger.de/wp-content/plugins/super-forms/uploads/php/files/f00klpbulo1kn493aqckrf241c/60155333063.pdfIn PDF document text
- https://youkuvpn.com/upload/files/11733012557.pdfIn PDF document text
- https://koltoztetes-szallitas-lomtalanitas.excore.hu/ckfinder/userfiles/files/refukujuk.pdfIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00011315.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11315 | 10252 bytes |
SHA-256: 6a594283ab5efa5ebcdf9ff0c64ee37129e1e0d99109c0cf189890de2a741bba |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.