MALICIOUS
124
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The PDF contains numerous links pointing to compromised WordPress sites and disposable hosting, indicating it functions as a link farm. The ClamAV detection as 'Pdf.Phishing.Trojan' strongly suggests a malicious intent, likely phishing or malware distribution through these external links. No scripts were extracted, but the heuristic firings and URL analysis are sufficient to infer a malicious purpose.
Machine Learning
- Nyx PDF Classifier suspicious score 0.3615
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://gps-tw.com/CKEdit/upload/files/rorexuzovudurokewafasipim.pdf In PDF document text
- https://lynnesnaturaltreats.com.au/wp-content/plugins/super-forms/uploads/php/files/25f120175e47e6795a9d312055f2bf3b/solagizajosajegusuzedipu.pdfIn PDF document text
- http://contextuae.com/resimler/files/2013491934.pdfIn PDF document text
- http://www.magicapro.it/wp-content/plugins/formcraft/file-upload/server/content/files/160a2079d16220---54996558935.pdfIn PDF document text
- http://www.northeastmarquees.com/wp-content/plugins/super-forms/uploads/php/files/839252d17a064bba0855b41638fbee51/50972802487.pdfIn PDF document text
- http://vasilii-orlov.fun/wp-content/plugins/super-forms/uploads/php/files/18880b9817c62b3c7283751b9613355b/53118652139.pdfIn PDF document text
- http://fatamorgana.fr/uploads/assets/file/wivuzobodiwewegobegigi.pdfIn PDF document text
- https://cor.org.ar/wp-content/plugins/super-forms/uploads/php/files/770cps2ja3ju85brai47ucs98c/32373368036.pdfIn PDF document text
- https://tidaksusah.com/contents//files/27071773950.pdfIn PDF document text
- https://provisionsinternational.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608333c5a7eff---92578768543.pdfIn PDF document text
- https://ventana-sur.com/wp-content/plugins/formcraft/file-upload/server/content/files/160716f919945a.pdfIn PDF document text
- https://alphaveneers.co.uk/wp-content/plugins/super-forms/uploads/php/files/38a2ea8fcd32498098ee9dc70ede20eb/30331544390.pdfIn PDF document text
- https://www.sanier.pl/wp-content/plugins/super-forms/uploads/php/files/r26cgpbaqccoih4mc7bvg1mmof/27899894668.pdfIn PDF document text
- https://njsolarpower.com/wp-content/plugins/super-forms/uploads/php/files/221879f3eedd398637a26ce0c059cae0/rewamapoweda.pdfIn PDF document text
- https://joepromenshealth.com/wp-content/plugins/super-forms/uploads/php/files/62c9ebf519df247113a915c23a30a7b0/rezowozebaxenowateboju.pdfIn PDF document text
- http://anhuicrew.com/upload_fck/file/2021-6-23/20210623020929655353.pdfIn PDF document text
- https://makiriaszto.hu/ckfinder/userfiles/files/22416474073.pdfIn PDF document text
- https://www.nordatec.com/wp-content/plugins/super-forms/uploads/php/files/kj99gl6c6d0se3t5r7o7pne9vj/keguwitikawotuwiwinefikes.pdfIn PDF document text
- https://uniqrelation.com/userfiles/file/24370222707.pdfIn PDF document text
- https://www.sgestrecho.es/wp-content/plugins/formcraft/file-upload/server/content/files/1609b47caf0b1b---67343004389.pdfIn PDF document text
- http://centralgiving.com/media/userfiles/file/13167804255.pdfIn PDF document text
- http://anaminfo.com/attachfile/file/ropesefobokobuxedogagozer.pdfIn PDF document text
- https://feedproxy.google.com/~r/skout/mBVl/~3/FevRqgeaUVY/uplcv?utm_term=what+value+will+you+add+to+our+company+interview+answerPDF link annotation
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00011959.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11959 | 11136 bytes |
SHA-256: 3deb8bba8eb4ad7c8a0e8a14a3d7613639304f1f983f5f1a9e7202380bae4504 |
|||
font_01_sfnt_off00013342.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x13342 | 16792 bytes |
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
|||
font_02_sfnt_off00014b54.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x14B54 | 17964 bytes |
SHA-256: a007672712e21ff02496ffc9007707446e471c33709c3ed20d3b6081fbfb69a3 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.