MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains numerous links pointing to compromised WordPress sites, identified as a link farm. The ClamAV detection and ML classifier further indicate malicious intent, likely for phishing or distributing further malware. The embedded URLs are part of a link farm strategy to obscure the final destination.
Machine Learning
- Nyx PDF Classifier malicious score 0.5984
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.blackhillsdancecentre.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606f5e1fa7bf3---60260415571.pdf In PDF document text
- https://antoinepanau.com/wp-content/plugins/super-forms/uploads/php/files/bc7d26cc13422ef7e96478f087cc8679/7582836718.pdfIn PDF document text
- http://www.theagentpipeline.com/wp-content/plugins/formcraft/file-upload/server/content/files/160af7b2a6390c---63154196234.pdfIn PDF document text
- https://qualitylightsolutions.com/wp-content/plugins/super-forms/uploads/php/files/e9d4d3d83d1f254bb21181e7c3a69278/kexobu.pdfIn PDF document text
- http://juniorsmagazine.com/wp-content/plugins/formcraft/file-upload/server/content/files/16072208328ed5---mogusavojuwobobilu.pdfIn PDF document text
- http://amtusa.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607807f93dab0---zovezeneziruwisukuvuwaduv.pdfIn PDF document text
- https://www.ogblfrontaliers.fr/wp-content/plugins/super-forms/uploads/php/files/au026501lrb29b8a1q45ouktrj/70429556530.pdfIn PDF document text
- https://www.tai.gr/wp-content/plugins/formcraft/file-upload/server/content/files/1606ca90ed7a8d---zapodowuvegam.pdfIn PDF document text
- https://unicornproduction.gr/wp-content/plugins/super-forms/uploads/php/files/448b8fa9d65f637987985ad97e7ce999/942281545.pdfIn PDF document text
- https://fietenhaardenenkachels.nl/wp-content/plugins/formcraft/file-upload/server/content/files/16082362dd4d78---54083235348.pdfIn PDF document text
- http://www.grupohk.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1608d0b5c349f2---84147210001.pdfIn PDF document text
- http://www.majoriscambio.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1607aba7005e50---89775321616.pdfIn PDF document text
- http://www.megasaludips.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609a509baddc8---julaxivib.pdfIn PDF document text
- http://ankaser.com/userfiles/file/navixikoxolofokomume.pdfIn PDF document text
- http://trenermichal.pl/wp-content/plugins/formcraft/file-upload/server/content/files/160714d31eb99e---zutobosak.pdfIn PDF document text
- http://microlana.com/ckfinder/userfiles/files/90046169447.pdfIn PDF document text
- https://balajitutorial.com/admin/userfiles/file/toberi.pdfIn PDF document text
- http://www.hollyskauaicondo.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607a819818da5---pulunutojiruni.pdfIn PDF document text
- http://bloomx.com/sites/all/sites/bloomx.com/files/9325107530.pdfIn PDF document text
- https://alfa-pechati.ru/wp-content/plugins/super-forms/uploads/php/files/47a6fc696a03c060a73fbee54c9b3369/11892763328.pdfIn PDF document text
- http://mfahk.com/upload/files/sifadavefidopoxi.pdfIn PDF document text
- http://www.ponderosafestival.com/wp-content/plugins/formcraft/file-upload/server/content/files/16093cb36d7404---waruwaragelogotofejenave.pdfIn PDF document text
- http://samrayburnclassof1980reunion.com/clients/873185/File/82245303369.pdfIn PDF document text
- http://xn--80akij1ajew.xn--p1ai/wp-content/plugins/formcraft/file-upload/server/content/files/16072b8f5b1448---rolesezalomivife.pdfIn PDF document text
- https://feedproxy.google.com/~r/skout/mBVl/~3/1KS0DP0cxss/uplcv?utm_term=flowers+that+represent+deathPDF link annotation
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000fd27.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFD27 | 10460 bytes |
SHA-256: df30819a06ea2ad12eb8ea11c2f2d63ea8d56c93704e109539afc718b3aa3e0c |
|||
font_01_sfnt_off000114e9.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x114E9 | 17488 bytes |
SHA-256: 4d359ac9bafb801957eccaa56dcf2f8e141b8f9ce000a4229df19246c431f831 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.