MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
The sample is identified as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It functions as a link farm, directing users through multiple compromised WordPress sites. The presence of numerous links to disposable hosting and compromised CMS upload storage suggests a phishing or malware distribution scheme. No scripts were extracted, but the PDF structure and URL patterns are indicative of a malicious lure.
Machine Learning
- Nyx PDF Classifier malicious score 0.6770
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://rhythmcprandfirstaid.com/wp-content/plugins/super-forms/uploads/php/files/8e17081e962fff482fcfaeebdb4a906e/6860910305.pdf In PDF document text
- http://www.orhancoskun.com/wp-content/plugins/formcraft/file-upload/server/content/files/160849226d11a7---3420416127.pdfIn PDF document text
- http://triumphtoday.org/wp-content/plugins/formcraft/file-upload/server/content/files/160a8490dd61be---vobijalerejudofixixali.pdfIn PDF document text
- https://mavismanagement.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a87291d0e35---jizij.pdfIn PDF document text
- https://1sis.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a95724ae746---66771227706.pdfIn PDF document text
- http://www.consorcio.edu.pe/wp-content/plugins/formcraft/file-upload/server/content/files/160a156ea5fe53---5144880231.pdfIn PDF document text
- http://kingcraftviet.com/uploads/ckfinder/files/831830231.pdfIn PDF document text
- https://medicentrumnz.eu/medicentrum/files/file/tuxoxovubewexon.pdfIn PDF document text
- http://studiotecnicobonoli.com/userfiles/files/liwibulegefevuzixemok.pdfIn PDF document text
- https://trsbarriersdirect.com/wp-content/plugins/super-forms/uploads/php/files/p2fh3j5uajgqme2sim3fq5skr4/megafukamago.pdfIn PDF document text
- https://ilc.ua/wp-content/plugins/super-forms/uploads/php/files/vsm2rellfg8hfn2h4qvvhq7bd1/pekufogujujimazisoderit.pdfIn PDF document text
- http://parkhigh65.com/clients/4970/File/52838581918.pdfIn PDF document text
- https://www.inter-tube.co.uk/wp-content/plugins/super-forms/uploads/php/files/950210228f309b84fb776046c3f19dd5/8806419915.pdfIn PDF document text
- http://accessprecision.com/userfiles/file/50671163364.pdfIn PDF document text
- https://www.crossfitparamaribo.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607893cfbce1d---biniguwurupukadapo.pdfIn PDF document text
- http://www.kreasoft.mx/wp-content/plugins/formcraft/file-upload/server/content/files/160c6d94c23afd---55176933839.pdfIn PDF document text
- https://metal-et-verre.ch/ckfinder/userfiles/files/lituxutani.pdfIn PDF document text
- http://j-club.eu/userfiles/file/fabozutuwodatepubovakot.pdfIn PDF document text
- https://sumangold.net.vn/wp-content/plugins/super-forms/uploads/php/files/d3uot4ekl3rtp5fpb534jei5n8/kitukumasurepifum.pdfIn PDF document text
- http://vervesimuhub.com/userfiles/file/79024976264.pdfIn PDF document text
- http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c33f7593670---21070671326.pdfIn PDF document text
- http://zadonskiy.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160864364ca6e2---pilavop.pdfIn PDF document text
- http://beckydavidsonhomes.com/wp-content/plugins/formcraft/file-upload/server/content/files/160872690184ca---viragekojunojepezetoga.pdfIn PDF document text
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/PmAiG5ZyT-k/uplcv?utm_term=baby+ghost+corn+snakePDF link annotation
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ee05.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEE05 | 10772 bytes |
SHA-256: d37b7f55d24cbe21c035d3ee4f2d3f94f2351e92b73ee8f0efd390fa0b7bd7bd |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.