MALICIOUS
124
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF file contains multiple links to compromised WordPress upload directories, suggesting it is used for phishing or malware distribution. The heuristic 'PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM' and the ML classifier output strongly indicate malicious intent. The embedded URLs likely serve as lures to download further malicious content or phish for credentials.
Machine Learning
- Nyx PDF Classifier malicious score 0.9287
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://crysiq.ru/uplcv?utm_term=best+gba+bios+files
- http://www.appsolutely.sg/wp-content/plugins/formcraft/file-upload/server/content/files/1607c71dd1757e---tibibosegawafumarobogew.pdf
- https://www.sharpeningfactory.com/wp-content/plugins/formcraft/file-upload/server/content/files/160764ff2d283c---20492292158.pdf
- https://www.tangelo.no/wp-content/plugins/formcraft/file-upload/server/content/files/1608100f64d94c---69435455064.pdf
- https://lightspec.ca/wp-content/plugins/super-forms/uploads/php/files/810c58ecea589214b4e17c3ac1af920f/zezikejuzopexol.pdf
- https://brandonsmilesdentistry.com/wp-content/plugins/super-forms/uploads/php/files/g82182ji2qf91n0t08dghgok47/ruvetexop.pdf
- https://fortlauderdale-carservice.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606c93839ad26---kegejulujonexelaf.pdf
- https://joefairless.com/wp-content/plugins/super-forms/uploads/php/files/e1dbd67db56f19b39aaae843d553494e/91618473768.pdf
- https://unitedcardsolutions.com/wp-content/plugins/formcraft/file-upload/server/content/files/16087742704fe8---4177958669.pdf
- http://al-bandak.com/userfiles/file/43841585633.pdf
- http://www.telsercom.com/wp-content/plugins/formcraft/file-upload/server/content/files/16098485ee00c0---21743783120.pdf
- http://deurwater.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609f1d9ebc5cf---geduraxakabibumanu.pdf
- https://urbanplace.me/wp-content/plugins/super-forms/uploads/php/files/bce485dbb281f53b03faf3081dfe7f52/pileguxiwivibibutuwota.pdf
- https://isosklo.cz./uploads/57790635388.pdf
- http://www.commandinglife.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608d6fbd51792---nelekegatebadevetodijuvok.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e4b6.bin2bbc8bdc4d098715d46723d8c63d7c863a244da1f3bdd951dee8a9e82bc5f1be |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE4B6 | 5028 bytes |
font_01_sfnt_off0000f5f3.binb0d5a6af2763ee877236a8362ce9457290cc316ebfa71b14e20b181325def5e0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF5F3 | 10556 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.