MALICIOUS
194
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
This PDF file contains numerous links to external websites, many hosted on compromised WordPress installations, suggesting a phishing or malware distribution campaign. The ML classifier and ClamAV detection strongly indicate malicious intent. The presence of PDF_RANDOM_URL_LINK and PDF_SEO_DISPOSABLE_LINK_FARM heuristics further supports the conclusion that the PDF is designed to redirect users to potentially harmful content.
Machine Learning
- Nyx PDF Classifier malicious score 0.9121
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINKPDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://archism.ru/uplcv?utm_term=walter+reed+ent+clinic PDF link annotation
- https://www.frankreich-ferien.ch/wp-content/plugins/formcraft/file-upload/server/content/files/160c056131429b---41176722726.pdfIn PDF document text
- https://designcoordinators.com/wp-content/plugins/formcraft/file-upload/server/content/files/16073d1b0124fd---96421079327.pdfIn PDF document text
- http://www.zulfugar.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160afbf48404b9---lujudetoxorakekoku.pdfIn PDF document text
- https://lashmakerpro.it/wp-content/plugins/super-forms/uploads/php/files/9sllv73ff63in5nnqupskksqj4/26985856230.pdfIn PDF document text
- http://premiercontractinginc.com/files/file/zumujidadevezewopageb.pdfIn PDF document text
- https://kayakbranson.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b70f03affe2---xerisusomugoganerajuriwi.pdfIn PDF document text
- http://ampletrekking.com/userfiles/file/wodomulezitomarifitote.pdfIn PDF document text
- https://maloneslandscape.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b2315ca39c3---sojoremonemisiborunome.pdfIn PDF document text
- http://k-yoga.org/file_upload/spaw_upload/file/20210515045319.pdfIn PDF document text
- https://www.lenoir-elec.com/wp-content/plugins/super-forms/uploads/php/files/63f36n4c12qhr2p7r1kgqemd1k/vidosigupakulomivoduzefa.pdfIn PDF document text
- http://admio.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160b836dd8fe94---62667034738.pdfIn PDF document text
- https://creteservices.com/FCKeditor/userimages/file/fusazodevisidulirojen.pdfIn PDF document text
- http://artistalexanderkanevskywinnerinternationalaward.com/clientMedia/file/42147274764.pdfIn PDF document text
- http://mhinflatable.com/upload/file/fusedebexi.pdfIn PDF document text
- http://aucoindeshalles.fr/menu/file/jomufukitexibojaj.pdfIn PDF document text
- http://chicagohalo.com/wp-content/plugins/formcraft/file-upload/server/content/files/160819bda91757---92258127396.pdfIn PDF document text
- https://comobrew.com/newsite/images/user_uploads/file/lotibetixagaboreku.pdfIn PDF document text
- http://elyriahigh1974.org/clients/0/05/052ab20d644b737728595af1a47b4450/File/43276088768.pdfIn PDF document text
- https://www.areatransfers.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609fef0f15dfb---lesuwep.pdfIn PDF document text
- http://vtracauto.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b57855db8d8---28404170580.pdfIn PDF document text
- http://www.virtualaid.eu/wp-content/plugins/formcraft/file-upload/server/content/files/1609a8874cb993---28747973666.pdfIn PDF document text
- http://www.commandinglife.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606ce121400e1---taranazazegemojaridemuke.pdfIn PDF document text
- http://consulcongress.it/uploads/assets/file/pimabilavedesusezo.pdfIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000c44d.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xC44D | 16132 bytes |
SHA-256: 75dd2f8ec738303ef02241afd6df067d49542b156215dfad00a0d1e2f185894f |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.