MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a phishing or trojan threat. It functions as a link farm, directing users to multiple compromised WordPress sites hosting PDF files, likely as part of a phishing campaign. The embedded URLs suggest an attempt to lure users into downloading further malicious content or visiting credential-harvesting pages.
Machine Learning
- Nyx PDF Classifier malicious score 0.5387
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.leesii.com/wp-content/plugins/formcraft/file-upload/server/content/files/16095dad178a27---11764975534.pdf
- http://angelescare.com/userfiles/file/54234089756.pdf
- https://janeunchained.com/wp-content/plugins/super-forms/uploads/php/files/v81dkgmttcmljm6nea19pqoga2/52936658523.pdf
- http://jarosi.hu/files/file/49274472170.pdf
- https://action-roofing.com/wp-content/plugins/super-forms/uploads/php/files/9c4e859c475340e30b7a1bb53287cc31/tofatagaxawubazebawa.pdf
- https://interesttour.com/wp-content/plugins/super-forms/uploads/php/files/072d0e9902d053319f3850f901eac856/6257299310.pdf
- http://adamlegal.com/userfiles/file/ruxokunugokubanegiguwi.pdf
- http://slowjamsundays.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606d1af3287f8---xegikozefelafetipedematoj.pdf
- http://ophtalmic-overnight.fr/wp-content/plugins/formcraft/file-upload/server/content/files/1609d30ede266e---velediwolubagamoxozis.pdf
- https://adiwirawanbali.com/wp-content/plugins/super-forms/uploads/php/files/75d5b4dea3845c6f304ba6cdb5e29ff9/2835211288.pdf
- https://sketchup360.vn/wp-content/plugins/super-forms/uploads/php/files/e1sko6mvd831roug4rqv48m4o5/35881889450.pdf
- https://www.teppiche-waschen-hamburg.de/wp-content/plugins/formcraft/file-upload/server/content/files/160c6a6be8be93---45034849319.pdf
- http://es-umzuege-transporte.de/wp-content/plugins/super-forms/uploads/php/files/3186f04a097df324b297eac1db080f6a/jifaguvovufobepidu.pdf
- https://jdbailbonds.com/wp-content/plugins/super-forms/uploads/php/files/3729a407753d5e8c978adc42755ed1d7/16887332761.pdf
- https://promocionesnma.com/wp-content/plugins/super-forms/uploads/php/files/406d6511fcaf4ee6f12224cce0bc35b4/5221868561.pdf
- https://www.chartsunlimited.com.ph/wp-content/plugins/formcraft/file-upload/server/content/files/16076babc29d85---35475880485.pdf
- https://best-turbos.com/wp-content/plugins/super-forms/uploads/php/files/785ba730b9e6562605814eeba519af6f/lazamakejugiwibilesiwovir.pdf
- http://baanpowertrain.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ce2649128c9---masojoronibaviroxifixo.pdf
- https://rosedreamholidayhomes.com/ckfinder/userfiles/files/liverenotigobup.pdf
- https://web-sila.ru/wp-content/plugins/super-forms/uploads/php/files/fdfa2b5d63c4db3658d1a99a43cd5f0b/23014952471.pdf
- https://technok.cz/wp-content/plugins/super-forms/uploads/php/files/bd88622bda1cb09db01aea31474613d0/75853664351.pdf
- https://www.superioreagle.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a1073d69ca2---37558000877.pdf
- http://connect-senior.ch/uploades/userfiles/file/10478396713.pdf
- http://for-rent-leuven.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608b87f30b6e5---52453841465.pdf
- https://genesislighting.net/wp-content/plugins/super-forms/uploads/php/files/ad29804d21239ed9000f0492807c3377/tigofalibavul.pdf
- http://sakaryakasaplarodasi.org/userfiles/file/gozekejozuwawawuximuga.pdf
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/BkSY9tpko7c/uplcv?utm_term=locate+commercial+real+estate
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000ee86.binc41cf341ff786a3415e7e31b0f56d7c2eea5587da1a76d12900ad8581984da83 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEE86 | 16884 bytes |
font_01_sfnt_off00011a4f.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11A4F | 16792 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.