MALICIOUS
64
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file contains a link farm designed to redirect users to various compromised WordPress sites. These sites host further PDF files, suggesting a multi-stage redirection or download process. The presence of numerous links on disposable hosting and compromised CMS upload locations indicates a phishing or malware distribution attempt.
Machine Learning
- Nyx PDF Classifier clean score 0.2141
Heuristics 4
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://smilepath.com.au/wp-content/plugins/super-forms/uploads/php/files/94aee1e4f1514543d9b40959a0a46610/70466241625.pdf In PDF document text
- https://ontime-taxi.kg/wp-content/plugins/super-forms/uploads/php/files/0a56bc051d62b92b25e8808ee9060ae0/migapexowupapagemutelixub.pdfIn PDF document text
- https://criteriacambio.com.br/wp-content/plugins/super-forms/uploads/php/files/cssta4valc6clqeis5ogm5ftvk/rijukumulovugarako.pdfIn PDF document text
- https://www.aserspa.net/wp-content/plugins/super-forms/uploads/php/files/54c3a6vfmvg1j1afrta68p5rhb/zikomegasaj.pdfIn PDF document text
- http://opalsolar.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/16083da6f11b6e---15383688196.pdfIn PDF document text
- http://grandchainfamilyfoundation.com/clients/85333/File/jirorufebuluxipexovewal.pdfIn PDF document text
- https://cullinanconstruction.com/wp-content/plugins/super-forms/uploads/php/files/6khesk69j24u69dordpfgb6kmm/ziwok.pdfIn PDF document text
- http://www.bestlifepolicy.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160c1253e0becc---xagukopil.pdfIn PDF document text
- https://hmv.ir/wp-content/plugins/formcraft/file-upload/server/content/files/160b12e9a3a400---kofawumixekibusulelawowam.pdfIn PDF document text
- http://marcth.pl/media/fck/file/seteguxuxabub.pdfIn PDF document text
- http://abwvictory.com/uploads/files/xogirivuxedanomasi.pdfIn PDF document text
- https://sevsport.info/wp-content/plugins/super-forms/uploads/php/files/a5c07e25ae786b577d709455ba9d9b34/33484046754.pdfIn PDF document text
- http://yuhenganquan.com/userfiles/file/20210705150034_942796978.pdfIn PDF document text
- http://cottoneauto.it/userfiles/files/5693834093.pdfIn PDF document text
- https://teenvolunteerdallas.org/wp-content/plugins/super-forms/uploads/php/files/5f4ff681bdf4b6bcac53e44a2a15a126/31275196284.pdfIn PDF document text
- http://project-lovcen.me/userfiles/file/gutuzutofese.pdfIn PDF document text
- https://inlandautorepairmurrietaca.com/wp-content/plugins/super-forms/uploads/php/files/eae751a9b369c3f3ce2bac76be4bef92/nidagabumavinidivev.pdfIn PDF document text
- https://gbeequestriansurfaces.com/wp-content/plugins/super-forms/uploads/php/files/nojg7j0gs84ocfcl4dg2kfbvnc/46708170839.pdfIn PDF document text
- https://flexrocksrollovers.com/wp-content/plugins/super-forms/uploads/php/files/jp97d7r7dnon734mn6i1t17ef5/tagudirorojatu.pdfIn PDF document text
- http://gapoom.com/upload/fckeditor/file/53242060157.pdfIn PDF document text
- http://asfus.net/virgsurv/userfiles/file/48903373725.pdfIn PDF document text
- http://mountmedpharmacy.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/160bf1618df6ed---sezepev.pdfIn PDF document text
- http://schroniskoorzechowce.pl/ckfinder/userfiles/files/53524549865.pdfIn PDF document text
- https://alkhairi.co.uk/wp-content/plugins/super-forms/uploads/php/files/2d842e564ed784645133080cc4ac3f34/pepiwuwunokejozaluxefamu.pdfIn PDF document text
- http://luingpyrex.cz/foto/Image/file/varotememivunav.pdfIn PDF document text
- https://pabausa.org/wp-content/plugins/formcraft/file-upload/server/content/files/160b55ee19d9fa---53500134098.pdfIn PDF document text
- https://feedproxy.google.com/~r/Uplcv/~3/Om9ozkHLxGw/uplcv?utm_term=one+day+more+musicPDF link annotation
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00010667.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10667 | 16792 bytes |
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
|||
font_01_sfnt_off00011e7e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11E7E | 10624 bytes |
SHA-256: 205c0580aee5e0afda06b7e47719f8ed8dcb7088b810c81a320fddd65823e837 |
|||
font_02_sfnt_off000136d0.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x136D0 | 16804 bytes |
SHA-256: d806700ce850c17a45e570401243c895a1c30f1af5f27cdeca9bda29f88cee81 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.