MALICIOUS
124
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
The sample was detected as a malicious PDF by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains numerous links, many pointing to compromised WordPress upload directories, suggesting a phishing or malware distribution scheme. The document body, though heavily obfuscated, contains metadata related to wkhtmltopdf and a date, but no clear textual lure.
Machine Learning
- Nyx PDF Classifier malicious score 0.9756
Heuristics 4
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://shinserviceodi.ru/wp-content/plugins/super-forms/uploads/php/files/1691b3a7f0877758f91f2fa93afb198d/kozafinomofezisoriguwepe.pdf
- https://www.chinacimctrailer.com/wp-content/plugins/super-forms/uploads/php/files/10bbf4e04741698947c597c76ec40d76/5821131331.pdf
- https://okazdedziecko.pl/_files/Media/file/fofekojodebevev.pdf
- http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160abae39e34d7---bikizosibubovevemizewibav.pdf
- http://www.sunarsurdurulebilir.com/wp-content/plugins/super-forms/uploads/php/files/s0o82kfvd0tg88ih6aci1k4292/redotetujakusepuxexu.pdf
- http://audiencefertilization.com/fckeditor/editor/filemanager/connectors/php/userfiles/file/kogutekodurajemebomadi.pdf
- https://www.toptalentusa.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b2a12e4df9c---vitifaguga.pdf
- http://forter.vn/hinhanh/file/pedadivudutog.pdf
- https://www.lightingsolutionsinc.net/wp-content/plugins/super-forms/uploads/php/files/6d78e0e66124bd005a2ba742387d9ab7/27798720869.pdf
- http://bradleyhillsapartments.com/demo/uploads/contents/file/85098797737.pdf
- https://personalloan2u.com/wp-content/plugins/super-forms/uploads/php/files/aa84482a86c1c5d805fbe3858b05d1b3/38388571758.pdf
- http://worksafeorg.com/wp-content/plugins/super-forms/uploads/php/files/dsiq4du4bqketlqt85v4i3ek83/finajigomutijilapijosisi.pdf
- http://www.immiflex.com/wp-content/plugins/formcraft/file-upload/server/content/files/160901f9680c29---28794970773.pdf
- https://www.dyna-tech.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160736a5d07258---zenowezipovubibaxu.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/GLLx1DTH0VQ/uplcv?utm_term=temario+oposiciones+mossos+d%2527esquadra+2021
- http://scripts.sil.org/OFL
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000d2c3.bineba65f0c8badf2572c826b4c3fdc2279f7ee240b4c2e329c35b46e351a063f79 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD2C3 | 5624 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.