MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The sample is a PDF containing embedded JavaScript and a link farm pointing to compromised WordPress sites. This indicates a phishing attempt, likely to lure victims to malicious content hosted on these sites. The ClamAV detection and ML classifier further support its malicious nature.
Machine Learning
- Nyx PDF Classifier malicious score 0.7422
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://stroynerud-sm.ru/wp-content/plugins/formcraft/file-upload/server/content/files/1608e086c75764---xumalivinelodatifugimosuz.pdf In PDF document text
- http://lncxjzxxw.com/upload_fck/file/2021-5-30/20210530022407161497.pdfIn PDF document text
- http://ilovechardonnayhills.com/userimages/89927173580.pdfIn PDF document text
- http://wenxuezj.com/images/File/62528016380.pdfIn PDF document text
- https://www.eziblank.com/wp-content/plugins/super-forms/uploads/php/files/cjl4i7p7rjkm2lkudblaa6akh4/19660869996.pdfIn PDF document text
- https://steammining.com/userfiles/file/noraderuwowafeda.pdfIn PDF document text
- http://classiccar-jp.com/js/upload/files/95426495860.pdfIn PDF document text
- http://koopmankennedyfeller.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/91536357342.pdfIn PDF document text
- http://agrobud.net/uploaded/file/602215093.pdfIn PDF document text
- http://3wsystems.com/shipinc/userfiles/files/kanavokikiliji.pdfIn PDF document text
- https://allcreaturesinc.com/files/files/zafutadikonaj.pdfIn PDF document text
- https://dusunceokulu.net/resimler/files/zidozivufuma.pdfIn PDF document text
- https://megatex.ua/images/uploads/file/63579782880.pdfIn PDF document text
- http://kawana.tech/userfiles/file/fibupufikesiwato.pdfIn PDF document text
- https://bentzendesign.se/wp-content/plugins/formcraft/file-upload/server/content/files/16076635a7f9e8---foxidogukavobamodufubafu.pdfIn PDF document text
- http://jp-photo.cz/soubory/files/mejabumivokolugafovomowi.pdfIn PDF document text
- https://altbuket.ru/files/makipakepojorida.pdfIn PDF document text
- http://konditsionery-reutov.ru/upload_picture/file/45431762904.pdfIn PDF document text
- http://kazenergy.kz/wp-content/plugins/formcraft/file-upload/server/content/files/16071ed21bf1df---17953783982.pdfIn PDF document text
- https://coloreverything.love/wp-content/plugins/super-forms/uploads/php/files/fccca886b59e3ceac18d32cc600b2c6e/wixafaxigume.pdfIn PDF document text
- https://adrfarysz.pl/userfiles/file/67440722538.pdfIn PDF document text
- http://vankouwenenmastop.nl/UserFiles/file/5498528156.pdfIn PDF document text
- http://jsushibrea.com/uploads/files/69488040566.pdfIn PDF document text
- https://www.andrecampbell.ca/wp-content/plugins/super-forms/uploads/php/files/f3343a922d324ed9e8aed5ac427d509c/zirisepojadowev.pdfIn PDF document text
- https://unique.global/wp-content/plugins/super-forms/uploads/php/files/807dcaf8700afd456473533076382018/33473980782.pdfIn PDF document text
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/cv9VXjIrmdE/uplcv?utm_term=p90x+plyo+worksheetPDF link annotation
Open this report in the interactive analyzer, or submit your own file for analysis.