MALICIOUS
132
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The sample contains embedded JavaScript, which is a common technique for executing malicious code within PDF documents. It also features a link farm pointing to compromised WordPress upload storage, indicating an attempt to host and distribute malicious content. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports its malicious nature, likely used as a phishing lure or a downloader for further stages.
Machine Learning
- Nyx PDF Classifier suspicious score 0.3638
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://izharfoster.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606ef3edcfa2a---dujokenezetilewawu.pdf In PDF document text
- http://elhammagazine.com/ckfinder/userfiles/files/velepebojuxujumotakurevu.pdfIn PDF document text
- https://konferencii.ru/js/ckfinder/userfiles/files/kajojafed.pdfIn PDF document text
- http://cargo3030.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160fbc0887dd03---39081718864.pdfIn PDF document text
- http://healthywithhart.com/res/file/30668763684.pdfIn PDF document text
- https://www.asahinafunnels.com/wp-content/plugins/super-forms/uploads/php/files/umrksqk9tbh7l77d5g2vq2n3un/43124818262.pdfIn PDF document text
- https://jamiatulbanat.in/wp-content/plugins/formcraft/file-upload/server/content/files/1607d00784852d---mijizumilufabimunevab.pdfIn PDF document text
- https://artlabjo.com/userfiles/file/17986438435.pdfIn PDF document text
- http://davisfolk.net/clients/1/1f/1f1070e31f35868a9a13f38ee7dc887f/File/miwabokumojumeremu.pdfIn PDF document text
- https://antoinepanau.com/wp-content/plugins/super-forms/uploads/php/files/3ae16c9f4de671de6dcd5f8435ef88c2/pepatupenixunafulezezuw.pdfIn PDF document text
- https://www.gml.de/wp-content/plugins/formcraft/file-upload/server/content/files/160a7e55de464c---bebil.pdfIn PDF document text
- http://www.sunarpazarlama.com/wp-content/plugins/super-forms/uploads/php/files/odul4g36jpn5ihbn8ifej06rc2/lenoliridadarutanoke.pdfIn PDF document text
- http://photographybynami.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606f7e421b7a0---xezaveravunekepovu.pdfIn PDF document text
- https://a2designbg.com/userfiles/file/28472629913.pdfIn PDF document text
- https://k-kompany.ru/wp-content/plugins/super-forms/uploads/php/files/ac1356d7f4e6aecb0feaae6107fb28b4/7484191990.pdfIn PDF document text
- http://trenermichal.pl/wp-content/plugins/formcraft/file-upload/server/content/files/1607a456f28b29---wivejarufideraxovunez.pdfIn PDF document text
- http://kiuanai.com/userfiles/file/botunotivekiviruzula.pdfIn PDF document text
- http://ayhancevik.com/images_upload/files/lopilufejod.pdfIn PDF document text
- http://totalfinance.ca/wp-content/plugins/formcraft/file-upload/server/content/files/16077fa970ce9b---93142535282.pdfIn PDF document text
- http://stopasbestos.ca/wp-content/plugins/formcraft/file-upload/server/content/files/160788438c8a2d---46230150523.pdfIn PDF document text
- https://wildarium.com/ckfinder/userfiles/files/68044605183.pdfIn PDF document text
- https://www.icslights.com/wp-content/plugins/super-forms/uploads/php/files/b19909f7d515fc95be509d9a2bb5f62c/netojerilejozidox.pdfIn PDF document text
- https://morganmethod.com/ci/userfiles/files/31108378939.pdfIn PDF document text
- http://caacoding.net/wp-content/plugins/formcraft/file-upload/server/content/files/16071350e2eb0b---vametopulinupe.pdfIn PDF document text
- http://chicagohalo.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a83044afbe0---24404480274.pdfIn PDF document text
- http://totalfinance.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1609d99e027f69---kaziratolu.pdfIn PDF document text
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/BkSY9tpko7c/uplcv?utm_term=barbie+dreamhouse+adventure+game+mod+apkPDF link annotation
Open this report in the interactive analyzer, or submit your own file for analysis.