MALICIOUS
124
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
The file was detected as a phishing trojan by ClamAV. Static analysis revealed numerous URLs embedded within the PDF, many pointing to compromised WordPress sites or disposable hosting, suggesting a link farm designed to redirect users. The presence of these links and the ClamAV detection strongly indicate a phishing or malware distribution attempt.
Machine Learning
- Nyx PDF Classifier suspicious score 0.3253
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://queure.ru/uplcv?utm_term=unclear+pronouns+worksheet PDF link annotation
- http://gennarimaq.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16075b16dd97c2---bemizosu.pdfIn PDF document text
- http://jsdarvin.com/files/3181762440.pdfIn PDF document text
- http://pizzeria-millemiglia.de/app/webroot/img/editor/file/79684082641.pdfIn PDF document text
- https://jaunimodienos.lt/wp-content/plugins/super-forms/uploads/php/files/n3gdt25umfp1ruhgta9q8814lt/47594193758.pdfIn PDF document text
- http://aaexpansionjoint.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bc31f7697c9---pamomuduzonaso.pdfIn PDF document text
- https://fermuar.com/wp-content/plugins/formcraft/file-upload/server/content/files/160aaf413146bf---95580257786.pdfIn PDF document text
- http://xn--2vxr09c6mc.tw/CKEdit/upload/files/deraxibolezo.pdfIn PDF document text
- http://www.maarsehoveniers.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160731486bd820---fejot.pdfIn PDF document text
- http://ukkies.be/userfiles/file/47265478333.pdfIn PDF document text
- https://ehbo-oostkapelle.nl/userfiles/file/46684742605.pdfIn PDF document text
- http://capital96.com/userfiles/file/ziwukuboramenafubukororum.pdfIn PDF document text
- https://www.chablis-gautherin.com/ckfinder/userfiles/files/13521221897.pdfIn PDF document text
- http://eprdel.cz/userfiles/file/fadezule.pdfIn PDF document text
- https://lisacutler.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d2b4fef0ab2---19380220237.pdfIn PDF document text
- https://www.masismarketing.com/wp-content/plugins/super-forms/uploads/php/files/f5819177a513f82332a7878e2e21b06e/48963140810.pdfIn PDF document text
- http://transchem-tech.com/Uploadfiles/files/41767492506.pdfIn PDF document text
- https://humantouchtranslations.com/wp-content/plugins/formcraft/file-upload/server/content/files/1/1609d145b2ebeb---39035345285.pdfIn PDF document text
- http://inewbus.com/wp-content/plugins/super-forms/uploads/php/files/5mj6urkt27midrpqab26mt0fq7/zapuwiv.pdfIn PDF document text
- https://lea-inc.com/wp-content/plugins/super-forms/uploads/php/files/3fde49475b8fcdd0b1fea42e27c591a7/nifusekelokarawipuvi.pdfIn PDF document text
- http://homeopathyhongkong.cn/files/ditafuvakerinefala.pdfIn PDF document text
- http://accurateverdicts.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a1fc17a3de9---80097397852.pdfIn PDF document text
- http://www.fullertherapy.com/wp-content/plugins/formcraft/file-upload/server/content/files/16109e848d72b5---18332920729.pdfIn PDF document text
- https://www.reliancecareuk.com/wp-content/plugins/super-forms/uploads/php/files/7b349e0712d5ea3dd933e3180cdc3a66/23399029234.pdfIn PDF document text
- https://markzone.az/wp-content/plugins/super-forms/uploads/php/files/ltje04o3cap47kkv17ijvf7i81/povexeze.pdfIn PDF document text
- https://www.treehousecare.org/wp-content/plugins/formcraft/file-upload/server/content/files/1607ff06ecd8d5---benebikilar.pdfIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000edd1.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEDD1 | 10664 bytes |
SHA-256: 143de021da8be5d9a6665f51f6860654445bdc812a7667fdb3134ce5a3438352 |
|||
font_01_sfnt_off0001064f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1064F | 16868 bytes |
SHA-256: 6f74d8b8204156a077316bc098d84dd76999e827e2af10542b8ce8e8bf4d70ea |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.