MALICIOUS
124
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF file contains numerous embedded URLs that form a link farm, directing users to compromised WordPress upload directories and other disposable hosting sites. The ClamAV detection as 'Pdf.Phishing.Trojan' strongly suggests a malicious intent, likely to lure users into clicking malicious links for phishing or malware downloads. No scripts were extracted, but the structure and URL patterns are indicative of a phishing or redirection campaign.
Machine Learning
- Nyx PDF Classifier suspicious score 0.4045
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://oniceh.ru/uplcv?utm_term=fully+compensated+metabolic+alkalosis PDF link annotation
- http://hillcountryawningsandsunscreens.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607fb735cb77d---22300021510.pdfIn PDF document text
- https://mamproducciones.es/wp-content/plugins/formcraft/file-upload/server/content/files/1606d353ad74ae---54290350617.pdfIn PDF document text
- https://ncfouting.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608615d2128be---91948840270.pdfIn PDF document text
- http://envigest.cz/upload/file/85606166637.pdfIn PDF document text
- http://vegasoft.hr/wp-content/plugins/formcraft/file-upload/server/content/files/160a29ad3e10c1---90980946036.pdfIn PDF document text
- http://www.ellisrasbetonwerke.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/1607288968a5e0---71107297631.pdfIn PDF document text
- http://thuduchouse.vn/pics/file/vutexarelixa.pdfIn PDF document text
- http://www.onekaddy.com/wp-content/plugins/formcraft/file-upload/server/content/files/160778fc84dac1---xajaro.pdfIn PDF document text
- https://118highschool.am/wp-content/plugins/super-forms/uploads/php/files/f8e2d29947e4527330f2da2d25b03416/46372790196.pdfIn PDF document text
- https://costumeworld.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608f2545620ca---sawetozufukuwetubab.pdfIn PDF document text
- http://scheiden-maassluis.nl/uploads//file/vudedewijigomivu.pdfIn PDF document text
- http://hellnocancershow.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606d430ce2d28---mopor.pdfIn PDF document text
- http://hi-techfiber.com/userfiles/file/pubixujikodotinurovol.pdfIn PDF document text
- https://imapcb.org/wp-content/plugins/super-forms/uploads/php/files/27584f39e2f95a20553715b3acc77540/roveto.pdfIn PDF document text
- https://apoc.com.au/wp-content/plugins/super-forms/uploads/php/files/f489c926bba06ed8d9734d65f1edcb08/2056299016.pdfIn PDF document text
- https://ccveg.org/wp-content/plugins/super-forms/uploads/php/files/vglc9b9g9mu5aqgcniip3mq6uk/98691613357.pdfIn PDF document text
- https://trucraftsmanship.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bd22d422bb1---78401009238.pdfIn PDF document text
- http://hellnocancershow.com/wp-content/plugins/formcraft/file-upload/server/content/files/16077e70a31193---movukosufamisixo.pdfIn PDF document text
- https://selectwifi.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606d5f10f1072---minorirezu.pdfIn PDF document text
- https://www.elitelawnsolutions.co.uk/wp-content/plugins/super-forms/uploads/php/files/4s7kk14528nmq2sg3pu0b77a53/6004632802.pdfIn PDF document text
- https://www.baileysmilk.com/wp-content/plugins/super-forms/uploads/php/files/7ed2abaf34ebe50d72c17f460a653e61/15622941468.pdfIn PDF document text
- https://propbrains.com/wp-content/plugins/super-forms/uploads/php/files/hom02hssm9l6p5hsblncv87803/vuzuzaj.pdfIn PDF document text
- http://boulderdivorcelaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/160882813c2adc---89408638734.pdfIn PDF document text
- http://www.pirac.org/wp-content/plugins/super-forms/uploads/php/files/c290cedc2eb9a2eb111542c1702df3b6/16530897107.pdfIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f073.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF073 | 16792 bytes |
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
|||
font_01_sfnt_off0001088a.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1088A | 10996 bytes |
SHA-256: 79cc87ae4cb6eb0acfe99ec5d9443aacae9b9319ddb85b0d2df6cc79720594d4 |
|||
font_02_sfnt_off000121e4.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x121E4 | 16472 bytes |
SHA-256: 66c9a441a8660a2564442f09ea066545900cbb54e4d75652a1e9d3721b5f8371 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.