MALICIOUS
132
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The file is a PDF containing embedded JavaScript and a significant number of external URIs, many of which point to compromised WordPress sites. The ClamAV detection and the PDF_SEO_DISPOSABLE_LINK_FARM heuristic indicate a malicious intent, likely to lure users through a link farm. The embedded JavaScript suggests potential for further malicious actions, such as downloading additional payloads or redirecting users to phishing sites.
Machine Learning
- Nyx PDF Classifier suspicious score 0.3973
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://lawtutors.co.uk/js/ckfinder/userfiles/files/mawitotopox.pdf In PDF document text
- https://www.coconutlodge.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c6574d2ea04---saxenebibuzujexelulodob.pdfIn PDF document text
- http://christschoolblr.in/userfiles/file/54855239101.pdfIn PDF document text
- https://markmont.eu/editor_uploads/system/files/35742565001.pdfIn PDF document text
- https://kodcomputers.ro/2664/uploads/dejujapazabujawoxuzafaxa.pdfIn PDF document text
- https://artistprasanna.com/userfiles/file/mirel.pdfIn PDF document text
- https://goodnest.info/tctt/sites/aaa/file/58308345252.pdfIn PDF document text
- https://healthmatters.me/userfiles/file/bisimoderixutakig.pdfIn PDF document text
- http://erpos.sk/data/files/banigamozufamuzikironivaj.pdfIn PDF document text
- http://lushexperiences.com/wp-content/plugins/formcraft/file-upload/server/content/files/160853bc3b65c1---fixerivuputefesunefuta.pdfIn PDF document text
- http://thietkewebbacninh.com/webroot/img/files/mifemejabidisepiviruxeneb.pdfIn PDF document text
- https://myveolife.com/wp-content/plugins/super-forms/uploads/php/files/3e0a27299cb400cfed4e8b5f16da6ac9/85045704305.pdfIn PDF document text
- https://balarampurblock.in/ckfinder/userfiles/files/rorufutewup.pdfIn PDF document text
- http://broadgatecapital.com/userfiles/file/752297941.pdfIn PDF document text
- https://smoothnomad.com/wp-content/plugins/super-forms/uploads/php/files/vl0taf21niek9944k2dhcp1nsf/25642522231.pdfIn PDF document text
- https://lorenzonimmigrationlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16080ebc5d7935---69490080226.pdfIn PDF document text
- http://mariekevanvlierden.nl/survey/userfiles/files/58753263604.pdfIn PDF document text
- http://vizcsap.hu/files/file/mokunuzaxejozezoxu.pdfIn PDF document text
- https://envomask.com/wp-content/plugins/super-forms/uploads/php/files/81bf96e20d7f7f270fa12dacf29292a2/bozazo.pdfIn PDF document text
- http://lichnyiybrand.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160f78a289b8ea---81754860140.pdfIn PDF document text
- https://aldurra.ly/images-editeur/img/file/bivowaxizokupefax.pdfIn PDF document text
- http://tksvolga.ru/userfiles/file/pijoji.pdfIn PDF document text
- https://www.grandeprairie.org/wp-content/plugins/formcraft/file-upload/server/content/files/16092dabbe550b---82949065409.pdfIn PDF document text
- https://www.kcequipment.com.au/wp-content/plugins/super-forms/uploads/php/files/7dde1177af98307ee1f041c6abb42eb4/34490346772.pdfIn PDF document text
- https://lapalettedesarts.fr/gestion/file/dariruxuwenagodudaxe.pdfIn PDF document text
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/1xuhb7AK25c/uplcv?utm_term=informational+text+5th+grade+worksheetsPDF link annotation
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000cdca.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xCDCA | 16792 bytes |
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
|||
font_01_sfnt_off0000e5e1.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE5E1 | 11164 bytes |
SHA-256: 62b03cb2fe0af7abc61455ec3eebb2bd31f7e727eb14c6205d4d9562fe957fc0 |
|||
font_02_sfnt_off0000ffa7.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFFA7 | 17552 bytes |
SHA-256: 9b76cd8768ed6d9da4573d8ddf33cd67833729aa6e4c823605df61eaf7f3fd58 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.