MALICIOUS
124
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF document contains numerous links to external websites, many of which appear to be compromised WordPress installations or disposable hosting. The ClamAV detection 'Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0' strongly suggests malicious intent, likely phishing or malware distribution. The document body's reference to 'download fast and furious 9 hd' serves as a lure to entice users to click on the embedded malicious links.
Machine Learning
- Nyx PDF Classifier suspicious score 0.2863
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://huntic.ru/uplcv?utm_term=download+fast+and+furious+9+hd PDF link annotation
- http://pierrevillers.fr/mairie_files/file/3955438383.pdfIn PDF document text
- http://greece-ex.com/images/blog//file/pasifewopixajinaxome.pdfIn PDF document text
- http://opalsolar.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/16075069d409d1---vamej.pdfIn PDF document text
- http://www.kmclogistics.com/wp-content/plugins/super-forms/uploads/php/files/d267fdab95872dd66e899763c49f8acd/legaban.pdfIn PDF document text
- https://thejasmineway.net/wp-content/plugins/super-forms/uploads/php/files/9m24ju5tbern3kpatofjmdo3dm/videpetoguwedabasel.pdfIn PDF document text
- http://www.ncstarim.com.tr/wp-content/plugins/super-forms/uploads/php/files/sfh1dsbos0h0kb4erka0h698q3/dasopadexunefed.pdfIn PDF document text
- http://chi-kara.net/userfiles/file/fapuponijizurokusazurijew.pdfIn PDF document text
- https://www.makathastaliklari.net/wp-content/plugins/formcraft/file-upload/server/content/files/1607def4dbc5bd---79891113696.pdfIn PDF document text
- https://vickers-electronics.co.uk/wp-content/plugins/super-forms/uploads/php/files/4367a4499ac30d691a95aab691d54b6f/73537127095.pdfIn PDF document text
- http://vuatoyen.com/uploads/userfiles/file/firobinefoseraz.pdfIn PDF document text
- http://acmemask.com/upfiles/editor/files/wubamom.pdfIn PDF document text
- http://bamt.be/wp-content/plugins/formcraft/file-upload/server/content/files/1606d7bf38c17d---fexigeroliwiwusugima.pdfIn PDF document text
- https://controlcert.se/wp-content/plugins/formcraft/file-upload/server/content/files/160a880776afe5---pagigipijorojiziwu.pdfIn PDF document text
- https://summit-christian-academy.net/scauserfiles/files/ruwis.pdfIn PDF document text
- http://www.fattyweng.com.sg/wp-content/plugins/formcraft/file-upload/server/content/files/16084bbcde7349---50115024121.pdfIn PDF document text
- https://makemycake.gr/wp-content/plugins/super-forms/uploads/php/files/9aq15n3u4qjq0en7o974867kg8/jojemaxasosotano.pdfIn PDF document text
- https://joebalogh.ro/imagini_ws/lipegasijiwutigudo.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000e929.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE929 | 104640 bytes |
SHA-256: 7105cc35f7742cb4e77221939ba35db4e52ed810e08671e089be958355dc3d62 |
|||
font_01_sfnt_off00021e83.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x21E83 | 5240 bytes |
SHA-256: 8b02ad0e6c604be13150c198a8031c5b0570ca98750ef591d101529760e03b9d |
|||
font_02_sfnt_off0002305c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2305C | 2288 bytes |
SHA-256: 3a14ab69a8b12e47d594e4d31ff49bbb89731765a55fb2c3f8087a1c7584994c |
|||
font_03_sfnt_off00023ac1.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x23AC1 | 10672 bytes |
SHA-256: 71c7fac414519394b26588df96fd552613c76625ebb623a05bdb96871e40fbf3 |
|||
font_04_sfnt_off00025f6e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x25F6E | 19840 bytes |
SHA-256: f483479217618687cda18dfa2f61a330706b28f768cdf7a2e45d9f60d9a12e39 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.