MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
This PDF file was detected as malicious by ClamAV and an ML classifier. It contains numerous links, many pointing to compromised WordPress sites, suggesting it functions as a link farm or phishing lure. The presence of embedded PDF objects and the nature of the URLs indicate an attempt to redirect users to potentially harmful content.
Machine Learning
- Nyx PDF Classifier malicious score 0.7221
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILEDThe cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://sport-jicin.cz/dokumenty/ponit.pdf
- http://kipia-nn.ru/userfiles/file/vepujenatufoj.pdf
- https://www.enviedecrire.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b01d49f26ac---16677203600.pdf
- http://saludocupacionalpso.com/home/wp-content/plugins/formcraft/file-upload/server/content/files/160a273dbb6de9---neluvimejib.pdf
- http://www.photobreak.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1606f17988a4d5---rewenoni.pdf
- http://oneself.pro/wp-content/plugins/formcraft/file-upload/server/content/files/1608d09798c09a---84812483577.pdf
- https://sharidendesignasphalt.com/wp-content/plugins/super-forms/uploads/php/files/6e3e259b98dbe113868c74bf9b7e836a/22925102868.pdf
- http://www.roosprommenschenckelfoundation.nl/ckfinder/files/files/rojufojelefegupuzus.pdf
- http://stressmanagement-karriere.de/userfiles/file/nines.pdf
- https://home18.ru/wp-content/plugins/super-forms/uploads/php/files/97a35f627bb052d1a9e6f3a00815b0ff/robusuvilaluri.pdf
- http://3qlohas.com/CKEdit/upload/files/gonixelopuzejikivi.pdf
- http://www.adanakursmerkezi.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c7357055d14---tiburabewekumewobapusu.pdf
- https://njsolarpower.com/wp-content/plugins/super-forms/uploads/php/files/df5ec06892b9f046ddacc0a38344865d/xuvam.pdf
- http://eng.sut.ac.th/tce/2016/administrator/ckfinder/userfiles/files/dezem.pdf
- https://popa.com.br/wp-content/plugins/super-forms/uploads/php/files/3ca39c012c8f8ac5d18668ab1ff3a5ac/84624180690.pdf
- https://bistro-8.com/wp-content/plugins/super-forms/uploads/php/files/036c29a7b3be33fc4159f722d65d3709/10662557686.pdf
- https://tavio.ru/files/file/gademobaxuvemod.pdf
- http://tikatalog.sk/_files/file/rokiwiw.pdf
- http://botosani.ro/img/uploads/file/34365999609.pdf
- https://www.rydalmereprestige.com.au/wp-content/plugins/super-forms/uploads/php/files/fqndjs0nsj8tl2n1187se5jj7e/diperege.pdf
- https://weblative.com/wp-content/plugins/super-forms/uploads/php/files/9o5r83fq1cuf6p1n7c7tjd3ouc/83996348419.pdf
- http://counterreaction.net/wp-content/plugins/formcraft/file-upload/server/content/files/160a4c932eecf4---zogopawagazex.pdf
- https://ohligschlaeger-berger.de/wp-content/plugins/formcraft/file-upload/server/content/files/160a59e5d36ccc---neduradinufuzekonet.pdf
- http://www.petersmetalstitching.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/160786a0b5389e---julagipakasaf.pdf
- http://www.petersmetalstitching.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/160c549784c3f5---34813600072.pdf
- https://feedproxy.google.com/~r/Uplcv/~3/LPIa9PGmDLg/uplcv?utm_term=dua+qun%C3%BBt+witr+pdf
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_005_off000136fd.bine5ff0cbf6f6f81c7a0ff79b6864e9f4ee484f6fbfd47bbd898c377b1d1c23fb2 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x136FD | 28900 bytes |
font_00_sfnt_off00011f77.bind22bce1cb838a944d08c05ff5ce5463c5822400d32c44199d79f6b50c1abfcec |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11F77 | 10480 bytes |
font_02_sfnt_off00016b36.bin2f32a1b91cd747af6dbf3117a7a603ff1aa4af4872dc970dfead2467a7c23c8f |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x16B36 | 18268 bytes |
font_03_sfnt_off000199fc.bin9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x199FC | 16792 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.