MALICIOUS
124
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
T1059.007 JavaScript
This PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan payload. It contains numerous URLs pointing to compromised WordPress sites, suggesting an attempt to redirect users to malicious content. The presence of PDF_URI and EMBEDDED_URL heuristics further supports the malicious intent of linking to external, potentially harmful, resources.
Machine Learning
- Nyx PDF Classifier malicious score 0.8124
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://coretry.ru/uplcv?utm_term=estimated+useful+lives+of+depreciable+hospital+assets+2020
- http://www.siscard.com/wp-content/plugins/formcraft/file-upload/server/content/files/16084f8cfa1118---74243989412.pdf
- https://rffsev.ru/wp-content/plugins/super-forms/uploads/php/files/a25c112b815bb5dd7bd1ff772ae9807f/78649049037.pdf
- https://ethiquedevelopers.com/wp-content/plugins/super-forms/uploads/php/files/9a4671debfcc29b2f1d64af3da58f22d/17936080780.pdf
- https://suemsas.com/wp-content/plugins/super-forms/uploads/php/files/cvvv6ogrshenkp1pg6rcsd00o2/fixiruginatoperufubaxuxej.pdf
- https://glosunspa.com/wp-content/plugins/formcraft/file-upload/server/content/files/160788705177c6---madukeme.pdf
- http://www.theagentpipeline.com/wp-content/plugins/formcraft/file-upload/server/content/files/160729fab51a9d---67496146117.pdf
- http://irmascaritasdejesus.org.br/wp-content/plugins/formcraft/file-upload/server/content/files/1608167deb03d6---lotivogufapoleso.pdf
- http://jjmcp.jp/userfiles/Image/file/zutufavesikomu.pdf
- http://unipell.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160984b6eb6eb3---96641896533.pdf
- http://bayzones.com/fckeditor/editor/filemanager/connectors/php/userfiles/file/depiw.pdf
- http://anhbanglaw.com/userfiles/file/zutedofexipedasigekim.pdf
- http://rethabise.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/1608303ad6eda2---31807373127.pdf
- https://genesisbehaviorcenter.com/wp-content/plugins/super-forms/uploads/php/files/91b078e070acae5fda98bc2618ef112d/xuzelokubiseguxofox.pdf
- https://www.bountyvacation.com/wp-content/plugins/formcraft/file-upload/server/content/files/160721f3595c53---jefixoluligowag.pdf
- https://sportli.co.il/wp-content/plugins/formcraft/file-upload/server/content/files/1606f7e6291206---zakezesunebo.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://scripts.sil.org/OFL
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000d5c9.bin16ab9178b4b028c87d85964cb63d2a2fa71ea4946a1c7c8578495bcbdfdb3b5e |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD5C9 | 5604 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.