MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1566.001 Spearphishing Attachment
This PDF contains embedded JavaScript, which is often used to exploit vulnerabilities or redirect users to malicious sites. The heuristics indicate a link farm pointing to compromised WordPress uploads and disposable hosting, strongly suggesting a phishing or malware distribution scheme. The embedded URLs, such as 'https://philabc.ru/uplcv?utm_term=ms+word+2007+crack+download', further support the lure of downloading cracked software, a common tactic for distributing malware.
Machine Learning
- Nyx PDF Classifier malicious score 0.8239
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://philabc.ru/uplcv?utm_term=ms+word+2007+crack+download PDF link annotation
- https://kindliving.org/wp-content/plugins/super-forms/uploads/php/files/tmp/neboduwulas.pdfIn PDF document text
- https://amagi.la/wp-content/plugins/formcraft/file-upload/server/content/files/1609ecc47621b7---95677346343.pdfIn PDF document text
- https://olgapopovaphoto.com/wp-content/plugins/super-forms/uploads/php/files/7be9df16ddd68fb2978db1923e28ee41/zesateboxofevufewapidig.pdfIn PDF document text
- https://www.generalutilities.com/wp-content/plugins/formcraft/file-upload/server/content/files/16096039365e41---81346775818.pdfIn PDF document text
- https://techson-cctv.com/upload/file/13246498426.pdfIn PDF document text
- http://www.bewegeninarnhem.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1608b48cada895---29046773313.pdfIn PDF document text
- https://benchmarktransitions.com/wp-content/plugins/formcraft/file-upload/server/content/files/16083ff90bfac7---vonejok.pdfIn PDF document text
- http://snsi.jp/image/news_file/27489565917.pdfIn PDF document text
- https://ocvirapuato.com.mx/wp-content/plugins/super-forms/uploads/php/files/db0f728cb6cf354a7b7c57e523ec650a/37065126034.pdfIn PDF document text
- https://beaumont-residence.com/wp-content/plugins/super-forms/uploads/php/files/moid0334fhn9f2jtvkvi1mq0rv/jogiwav.pdfIn PDF document text
- https://patriot.ch/wp-content/plugins/super-forms/uploads/php/files/rsvdfimppal5fsekql7jgepkc9/wufilike.pdfIn PDF document text
- http://www.recetasyconsejos.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b0850aec506---94056887044.pdfIn PDF document text
- https://apoc.com.au/wp-content/plugins/super-forms/uploads/php/files/33e63f9f7915ce7a2a297566f62b72a2/rudaraxuriniliritivivu.pdfIn PDF document text
- https://daleel.global/wp-content/plugins/super-forms/uploads/php/files/gjbgb45c1kvmqvc0u9j38htgk8/17200637878.pdfIn PDF document text
- https://gfow.om/wp-content/plugins/super-forms/uploads/php/files/klmi5d5arki5isfaph1k06o0gk/solofidusudegaluso.pdfIn PDF document text
- http://www.consorcio.edu.pe/wp-content/plugins/formcraft/file-upload/server/content/files/160ba407fd76a2---mogagologusupokiraxos.pdfIn PDF document text
- https://soyana.de/js/ckfinder/userfiles/files/jomifabapuvopi.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://scripts.sil.org/OFLIn PDF document text
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000f447.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF447 | 5448 bytes |
SHA-256: ea90cb8d1ca522fbe5a5ca536f18303fd92f6ceb23210342acbb97ce4a9ba651 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.