MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
This PDF file was detected as malicious by ClamAV and ML classifiers, indicating a phishing or trojan threat. It contains numerous links, many pointing to compromised CMS uploads or disposable hosting, suggesting a link farm designed to redirect users to malicious sites. The document body is heavily obfuscated and appears to be generated by wkhtmltopdf, lacking clear user-facing content but containing embedded URLs.
Machine Learning
- Nyx PDF Classifier malicious score 0.5347
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://aslimitada.com/userfiles/file/vokomukawizopilerafepubo.pdf In PDF document text
- https://lion-trading.co.uk/wp-content/plugins/super-forms/uploads/php/files/stcjb31v8ud4vgis167ncf1ugn/1441881429.pdfIn PDF document text
- http://ventilatoryzlin.cz/images/file/560937988.pdfIn PDF document text
- http://ms-krmelin.cz/app/webroot/files/files/fetujikupo.pdfIn PDF document text
- https://alajuusa.ee/media/contents/file/36019800051.pdfIn PDF document text
- http://dbcasagayathottam.org/assets/uploads/cms_images/files/guvotutexivamewajeg.pdfIn PDF document text
- https://brod-plovdiv.com/images/fowutaledejidanuvesovak.pdfIn PDF document text
- https://ezastupitelstvo.sk/editor_uploads/system/files/16594877013.pdfIn PDF document text
- http://www.linkkorea.co.kr/wp-content/plugins/formcraft/file-upload/server/content/files/160d78102daa7c---nefukanuvupegoko.pdfIn PDF document text
- http://telegid.tv/userfiles/files/ramojegapebixu.pdfIn PDF document text
- http://cnpair.com/userfiles/file/97207213509.pdfIn PDF document text
- https://www.asahinafunnels.com/wp-content/plugins/super-forms/uploads/php/files/eklfief5tqqd530hbk34hqjslg/97806590763.pdfIn PDF document text
- https://www.nrlandscapes.co.uk/wp-content/plugins/super-forms/uploads/php/files/f3be89f92faefa9ba1435bb1e57be175/73791277459.pdfIn PDF document text
- http://sakuragiramenandsushi.com/uploads/files/76348372045.pdfIn PDF document text
- http://deurwater.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606cc95ab14c4---nezinuxilujaf.pdfIn PDF document text
- http://meble-tk.pl/userfiles/file/wawavag.pdfIn PDF document text
- http://studiogallerani.it/userfiles/files/joweripavivok.pdfIn PDF document text
- http://www.tif.cn/wp-content/plugins/super-forms/uploads/php/files/oeqg1u9chv3dan795kknvsn2lh/45517546384.pdfIn PDF document text
- http://evola.it/userfiles/files/kigibivoxibarit.pdfIn PDF document text
- https://neavocats.com/wp-content/plugins/super-forms/uploads/php/files/49077539b19a534832fbb100352e7946/pogekilar.pdfIn PDF document text
- http://stallingreunion.com/clients/a/a3/a37dbb3dca22f8cb40f44de83fe48269/File/rulekozutolupasabuledazas.pdfIn PDF document text
- http://mtsp.by/userfiles/files/majezumewufuvilunuguf.pdfIn PDF document text
- https://feedproxy.google.com/~r/Uplcv/~3/BvfzZFkJO3s/uplcv?utm_term=preparation+of+chemical+solutions+pdfPDF link annotation
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000db38.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xDB38 | 18264 bytes |
SHA-256: 4539788d3aed338d118339922edbbdf0a2f0da7243cda737a9b000c22ba3b9bd |
|||
font_01_sfnt_off00010add.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10ADD | 10984 bytes |
SHA-256: bf365ed23d387f396f3ba0c2d5a03151d65748f945ae92e5b0ea3f8202b57c6d |
|||
font_02_sfnt_off00012423.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12423 | 16792 bytes |
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.