MALICIOUS
144
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF file contains numerous links to external websites, many of which are hosted on compromised WordPress installations or disposable domains, indicating a link farm designed to redirect users to malicious content. The ClamAV detection as 'Pdf.Phishing.Trojan' strongly suggests a phishing or malware distribution intent. No scripts were extracted, but the extensive use of external links points to a watering hole or phishing attack.
Machine Learning
- Nyx PDF Classifier suspicious score 0.3605
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Clickable URI points to raw IP address medium PDF_URI_IP_LITERALPDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://inwebjor.ru/uplcv?utm_term=restore+in+hebrew+meaning PDF link annotation
- http://beastyenergy.com/userfiles/file/perixodurozuje.pdfIn PDF document text
- http://www.elsecretodelolivo.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d9fcb2a02b2---16266187918.pdfIn PDF document text
- https://ocvirapuato.com.mx/wp-content/plugins/super-forms/uploads/php/files/5e72ad8ad96ec407a2b41870a590a2b4/fufozotopekawov.pdfIn PDF document text
- https://harpethvalleypto.org/wp-content/plugins/super-forms/uploads/php/files/7ddcdd95cd66a5521fe0fa748a222cb8/95297966817.pdfIn PDF document text
- https://bikinibody.be/wp-content/plugins/super-forms/uploads/php/files/o4edo019542ic0ukct0pc52g2l/xijituze.pdfIn PDF document text
- http://humanitool.ru/userfiles/file/7291469163.pdfIn PDF document text
- http://thepokeluau.com/uploads/files/65419789258.pdfIn PDF document text
- http://spoanalyze.com/wp-content/plugins/super-forms/uploads/php/files/272bdf4fbc9d13a06ea91ff95118d30f/39945860136.pdfIn PDF document text
- http://highendschmiede.de/highendfiles/file/zaxiwalomem.pdfIn PDF document text
- https://ptogel2.com/contents//files/sofojiwulipeduvozerubozok.pdfIn PDF document text
- http://bjoybrands.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606fb50360a79---papexe.pdfIn PDF document text
- http://www.uvhk.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c77d863f495---37788938854.pdfIn PDF document text
- http://cartopack.com/Images/file/84786053774.pdfIn PDF document text
- http://79.170.40.182/boothtastic.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606cdf2a81955---96699208341.pdfPDF link annotation
- https://www.eziblank.com/wp-content/plugins/super-forms/uploads/php/files/ef5a0a0374d1e834cae5dd996695ea6e/24960597004.pdfIn PDF document text
- https://engineeredrepinc.com/wp-content/plugins/super-forms/uploads/php/files/4d3bc2d89633f610a0d95d229e0740c0/zisadusobamokolupubuvum.pdfIn PDF document text
- http://koreaseals.com/ckfinder/userfiles/files/73253603530.pdfIn PDF document text
- http://haiphongcontest.com/images/files/rurivudurim.pdfIn PDF document text
- https://aryaayur.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607a2a53d21fb---jofaligaxukegazajan.pdfIn PDF document text
- https://www.alignerco.ca/wp-content/plugins/super-forms/uploads/php/files/ace92aec74b5945a6b23eeda31152a6f/rezusududugudav.pdfIn PDF document text
- https://www.geosuiteonline.de/wp-content/plugins/formcraft/file-upload/server/content/files/160760231c7ad1---rofeb.pdfIn PDF document text
- https://www.sgestrecho.es/wp-content/plugins/formcraft/file-upload/server/content/files/1607dc471e636e---tofavojizewer.pdfIn PDF document text
- http://gwardiajuvenia.pl/zdjecia/fck/file/17668400063.pdfIn PDF document text
- http://sam-global.info/files/file/64293950258.pdfIn PDF document text
- https://alfa-pechati.ru/wp-content/plugins/super-forms/uploads/php/files/9c6efc3970d5ba15b78bedce77f001e0/dadaxigibekemerobi.pdfIn PDF document text
- https://riverasphotovideo.com/wp-content/plugins/formcraft/file-upload/server/content/files/16092ffc44de46---tajerizomibabotipoji.pdfIn PDF document text
- http://inspirationallabels.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1607e8a160e3fe---32547797156.pdfIn PDF document text
- https://apsco.ly/userfiles/files/79341239655.pdfIn PDF document text
Open this report in the interactive analyzer, or submit your own file for analysis.