MALICIOUS
124
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The PDF was detected by ClamAV as 'Pdf.Phishing.Trojan'. Static analysis revealed it functions as a link farm, with numerous URLs pointing to compromised CMS upload directories. One prominent URL, http://chagatea.ru/wp-content/plugins/super-forms/uploads/php/files/31cbc2fa638ae776f51120dcd42a9854/70791800476.pdf, is specifically flagged as a compromised CMS upload link. This suggests the PDF is designed to lure users into clicking links that may lead to further malicious content or exploits.
Machine Learning
- Nyx PDF Classifier suspicious score 0.3043
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://chagatea.ru/wp-content/plugins/super-forms/uploads/php/files/31cbc2fa638ae776f51120dcd42a9854/70791800476.pdf In PDF document text
- http://dunajecbiala.pl/upload/File/zijanagexawugu.pdfIn PDF document text
- http://drukarnia-warszawa.pl/pliki/file/potuliti.pdfIn PDF document text
- http://uniondeautoescuelas.com/wp-content/plugins/formcraft/file-upload/server/content/files/1611f4f9456fc8---33478120105.pdfIn PDF document text
- http://simpelms.nl/userfiles//files/66666688092.pdfIn PDF document text
- http://mosjob.ru/images/file/45822330014.pdfIn PDF document text
- http://grupogmec.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606f4e8dd9ad7---92607761618.pdfIn PDF document text
- http://lovepetclinics.com/file_media/file_image/file/detemipug.pdfIn PDF document text
- http://allasclub.com/campannas/file/dadibuwowabenonuwonomu.pdfIn PDF document text
- https://freebcard.com/ckfinder/userfiles/files/bidolivadisozoluxafowirex.pdfIn PDF document text
- http://enricobarraco.com/files/28945026950.pdfIn PDF document text
- http://sieckultury.pl/wp-content/plugins/super-forms/uploads/php/files/dd177ae5ca21b293f84ff5c044924afe/56059651164.pdfIn PDF document text
- https://gamletaarnhuset.no/wp-content/plugins/formcraft/file-upload/server/content/files/1607a41b6ea073---wexatotubobafujimuwoj.pdfIn PDF document text
- https://educationindiajournal.org/ckfinder/userfiles/files/65549751106.pdfIn PDF document text
- https://hirurgija.me//files/83620599922.pdfIn PDF document text
- https://hondamienbac.vn/userfiles/file/24920512079.pdfIn PDF document text
- https://www.criteriainvest.com.br/wp-content/plugins/super-forms/uploads/php/files/1v0u3ei44ckngmmubjl409r6bk/lobosenumo.pdfIn PDF document text
- https://www.mybizwebsites.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d7b0ae78184---laleta.pdfIn PDF document text
- http://ulv-fogger.es/d/files/zutatupilugovebire.pdfIn PDF document text
- https://abofahed.com/userfiles/file/wukidapejamuwowovoj.pdfIn PDF document text
- https://drmarlenebothma.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/16076b90bc00fa---27460841811.pdfIn PDF document text
- http://mashtalkandil.com/userfiles/file/rijafevavugotibolaxal.pdfIn PDF document text
- http://pmdrecycling.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c19d32639e9---23322465206.pdfIn PDF document text
- https://harpethvalleypto.org/wp-content/plugins/super-forms/uploads/php/files/48db2b032a0d0d9cab16e28bef20e2fe/35068059088.pdfIn PDF document text
- https://adiwirawanbali.com/wp-content/plugins/super-forms/uploads/php/files/37e80ddd23471a6e9d75eecd7aa699b8/jerivazux.pdfIn PDF document text
- http://www.louthadventures.ie/wp-content/plugins/formcraft/file-upload/server/content/files/1607a22996e8ea---wawanigoseruvupojikokixo.pdfIn PDF document text
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/PmAiG5ZyT-k/uplcv?utm_term=catapult+made+of+popsicle+sticksPDF link annotation
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000eb46.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEB46 | 10800 bytes |
SHA-256: 08647d7fc3eb8402b9516bd93fb99ed7321a866793c1c7573411519966373631 |
|||
font_01_sfnt_off00010437.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10437 | 17876 bytes |
SHA-256: e0804af2b1c3024b139f9be171562040647ab4481fe24e297bfc00912c60ee93 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.