Malware Insights
The file is identified as a malicious PDF by ClamAV, exhibiting characteristics of a link farm. It contains numerous embedded URLs pointing to various domains, many of which are hosted on compromised CMS upload directories or disposable hosting. The PDF_SEO_DISPOSABLE_LINK_FARM heuristic indicates a deliberate attempt to create a large number of links, likely to manipulate search engine rankings or distribute malicious content. While no scripts were explicitly extracted, the nature of the link farm suggests a phishing or malware distribution vector.
Machine Learning
- Nyx PDF Classifier clean score 0.1383
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://beytarimcilik.com/admin/editor_resim/file/zawifigenijesikewijomomap.pdf In PDF document text
- https://mzr-avocats.com/buddha/ckfinder/userfiles/files/dojuwe.pdfIn PDF document text
- http://adamslakeband.org/userfiles/file/doligubejud.pdfIn PDF document text
- https://rittenhousesmiles.com/wp-content/plugins/super-forms/uploads/php/files/76ac622fcc039d0050b5a1470a52a657/gotazesipodorobu.pdfIn PDF document text
- https://szamitogep-szerviz-javitas.hu/ckfinder/userfiles/files/vetabomugufekonovivebiz.pdfIn PDF document text
- http://furkansigorta.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/1610b4675e1d9b---99838534048.pdfIn PDF document text
- http://campbellelectronics.com/uploads/96581318875.pdfIn PDF document text
- http://www.annaleehuber.com/content_files/file/9716866221.pdfIn PDF document text
- https://minegociomiweb.com/userfiles/file/93090597696.pdfIn PDF document text
- http://macautemple.com/userfiles/file/44681722880.pdfIn PDF document text
- http://sts-logistika.ru/wp-content/plugins/super-forms/uploads/php/files/27ad583e396b50322625cc1502cd1c1a/35221372107.pdfIn PDF document text
- http://hebakotb.net/userfiles/file/97917492430.pdfIn PDF document text
- https://totalyoumovement.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ec4a879a870---gupejemosawimafa.pdfIn PDF document text
- https://www.abaco-engineering.it/wp-content/plugins/formcraft/file-upload/server/content/files/160edb7eec9077---77566744200.pdfIn PDF document text
- https://svetpoznaniyaonline.ru/wp-content/plugins/super-forms/uploads/php/files/c391d662825372c2c2a4e1b3b7c56be8/pawuwemovexofotateko.pdfIn PDF document text
- https://pima-alarms.rs/slicice/file/26298654441.pdfIn PDF document text
- https://giverny-bkk.com/upload/files/88692857303.pdfIn PDF document text
- http://fitnessklub-impuls.pl/uploads/assets/file/39229522862.pdfIn PDF document text
- http://guojingmall.com/userfiles/file///worab.pdfIn PDF document text
- http://furkansigorta.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/160801fbde9594---sebivumimusowarat.pdfIn PDF document text
- https://www.mysmilestudios.com/wp-content/plugins/super-forms/uploads/php/files/c81b326025e05b0eb0b4782801812c08/76352555915.pdfIn PDF document text
- https://pluckywize.com/wp-content/plugins/formcraft/file-upload/server/content/files/160df9a89ee588---sipagimipegividi.pdfIn PDF document text
- http://comicpapyrus.com/wp-content/plugins/super-forms/uploads/php/files/07076aec29434e8ec107f0b547204b66/4773706503.pdfIn PDF document text
- http://moscow-vernisage.com/files/files/gifajidujamokoxovupufabe.pdfIn PDF document text
- https://phr4u.com/files/1903214393.pdfIn PDF document text
- https://holocaustresearch.pl/nowy/photo/file/91950911716.pdfIn PDF document text
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/cv9VXjIrmdE/uplcv?utm_term=best+quest+to+farm+decorations+mhwPDF link annotation
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00015787.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x15787 | 16204 bytes |
SHA-256: 9f42e0df0ecddf60bc383a0792bb6d23a4adaf7a034a35fc3b83bc6db910b035 |
|||
font_01_sfnt_off00016d49.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x16D49 | 1696 bytes |
SHA-256: 28c5bcedffb0f63c0f18ed07264126f7c833899b916de9a351f9850be7cb6bae |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.