MALICIOUS
124
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF file contains numerous links to external websites, many of which are hosted on compromised WordPress installations or disposable domains, suggesting a link farm for phishing or malware distribution. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports a malicious intent. While no scripts were explicitly extracted, the nature of the links and the heuristic firings indicate a likely attempt to redirect users to malicious content.
Machine Learning
- Nyx PDF Classifier suspicious score 0.4208
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://www.helpfulhunks.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/16080d71c25860---45213371958.pdf In PDF document text
- https://audit-advisers.com/userfiles/file/xewimefusorutoj.pdfIn PDF document text
- https://idfusionllc.com/wp-content/plugins/super-forms/uploads/php/files/f21ae41948d88a4e6638ffeaa694a49c/mekipir.pdfIn PDF document text
- http://www.platformliften.info/wp-content/plugins/formcraft/file-upload/server/content/files/1608f5362a4c16---gifefomunepa.pdfIn PDF document text
- https://bioesteticaonline.it/file/vegijefejexedetijazesugu.pdfIn PDF document text
- http://kleiberit.ru/files/file/zapekimenepasoninupi.pdfIn PDF document text
- http://vogiantinhmach.com/media/ftp/file/22807118593.pdfIn PDF document text
- https://gresathouse.com/wp-content/plugins/super-forms/uploads/php/files/081863e860429872de9d0783b193ce61/tamid.pdfIn PDF document text
- http://www.fattyweng.com.sg/wp-content/plugins/formcraft/file-upload/server/content/files/160a1504524e6a---tabunusefesid.pdfIn PDF document text
- https://flvirginia.com/wp-content/plugins/super-forms/uploads/php/files/550421b531689de312dc4a7def996a03/satodidetanavopipitoxe.pdfIn PDF document text
- https://sandalyecenneti.com/wp-content/plugins/super-forms/uploads/php/files/79vdgnqfcjnhmu9phujd8diqsk/66800012933.pdfIn PDF document text
- http://3duct.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609eea14b657a---jaloloxikovafaginazovumun.pdfIn PDF document text
- https://licorne-hotel-restaurant.com/userfiles/file/zopibezebeguxakula.pdfIn PDF document text
- https://amkboiler.com/wp-content/plugins/super-forms/uploads/php/files/8gnp89supj1eg4gg2bodg9c1nq/51497591689.pdfIn PDF document text
- http://folientastaturen.pl/_data/file/61180764015.pdfIn PDF document text
- https://elitestrategyglobal.com/wp-content/plugins/super-forms/uploads/php/files/90ac534333efae79fcd72cf23bf04128/kubenowimejaxodibul.pdfIn PDF document text
- https://nailseasupportgroup.com/wp-content/plugins/super-forms/uploads/php/files/447023ec2f55ca2fff9fa1e3751621a3/xumitusopali.pdfIn PDF document text
- http://come2menorca.com/images/file/dozoregapanujetowaja.pdfIn PDF document text
- https://www.swx.global/wp-content/plugins/super-forms/uploads/php/files/1f40e052a954502f2c067308c9bfe779/zerudaxegofubaz.pdfIn PDF document text
- http://k-yoga.org/file_upload/spaw_upload/file/20210515092323.pdfIn PDF document text
- https://www.beewellrx.com/wp-content/plugins/super-forms/uploads/php/files/tmp/78349692376.pdfIn PDF document text
- http://sl1971.com/clients/5/51/517263f0417f9379c67e6eba0e0bdfe8/File/sazazevukezilapudeva.pdfIn PDF document text
- http://mirai-kankyo.com/userfiles/files/gurikuli.pdfIn PDF document text
- http://absolutelyneon.com/userfiles/file/32765463698.pdfIn PDF document text
- https://sellos-mecanicos.com/wp-content/plugins/super-forms/uploads/php/files/5f830267a61a1d5cc51d950026ef8e8a/xavagemosoti.pdfIn PDF document text
- https://feedproxy.google.com/~r/skout/mBVl/~3/A3Ryygt5BCM/uplcv?utm_term=word+and+excel+to+pdf+converter+free+downloadPDF link annotation
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f326.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF326 | 17112 bytes |
SHA-256: 4dff6b0fd13464ac0e461b545c4d4bcc63e51c79b5adeb46ae604a6473822678 |
|||
font_01_sfnt_off00011fe7.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11FE7 | 10600 bytes |
SHA-256: b5c1e961593405523bfb280e1c4e651d191d223f2e25ff818773a3bb90eb23b2 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.