MALICIOUS
94
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The PDF file contains a large number of embedded URLs, many of which point to compromised WordPress sites or disposable hosting. This suggests the document is designed as a link farm, likely to manipulate search engine rankings or to redirect users to malicious content. The ML classifier also strongly indicated maliciousness.
Machine Learning
- Nyx PDF Classifier malicious score 0.9481
Heuristics 4
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://cructi.ru/uplcv?utm_term=music+player+sketchware PDF link annotation
- https://www.aironface.com/wp-content/plugins/super-forms/uploads/php/files/cc319155b154fb5857e558b44c19a731/fopadeluragiwovase.pdfIn PDF document text
- https://mexico-airport-transfers.com/ckfinder/userfiles/files/79928305398.pdfIn PDF document text
- http://bukhatirhomes.com/userfiles/file/35457202259.pdfIn PDF document text
- http://gaudi.tw/upload/files/7533247918.pdfIn PDF document text
- http://plenar.hr/wp-content/plugins/formcraft/file-upload/server/content/files/1612fecd196325---97558471088.pdfIn PDF document text
- https://sidexsideaudio.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613ab4f2dc5c4---75559413582.pdfIn PDF document text
- http://www.etoiles-recrutement.com/wp-content/plugins/formcraft/file-upload/server/content/files/1612fc054f033b---19736322972.pdfIn PDF document text
- http://sahrugs.com/userfiles/file/wovatudapanitozumaz.pdfIn PDF document text
- https://onderdurdu.com/upload/ckfinder/files/kugogijifijesisuzo.pdfIn PDF document text
- https://www.kiteschule-kiel.de/wp-content/plugins/formcraft/file-upload/server/content/files/16139055b8c72c---ligasimuruleduvi.pdfIn PDF document text
- https://drinkpoint.com/uploads/files/93496154949.pdfIn PDF document text
- http://wiskind.com/filespath/files/20210919051142.pdfIn PDF document text
- http://diamantina-joaillerie.com/ckfinder/userfiles/files/9879390713.pdfIn PDF document text
- https://kalatranslation.co.uk/wp-content/plugins/super-forms/uploads/php/files/ovi6uau1aor57v7jg6vggs78te/toragus.pdfIn PDF document text
- https://www.bmo-agencement.fr/ckfinder/userfiles/files/katabisoleworagivol.pdfIn PDF document text
- https://skostishoes.com/userfiles/file/mewilojupejujog.pdfIn PDF document text
- http://stefanourso.com/public/userfiles/file/42573652065.pdfIn PDF document text
- https://hse.tw/upload/file/91766217758.pdfIn PDF document text
- https://qualityroofinnandsuites.com/nbloom/fckuploads/file/bukalurewadegifuba.pdfIn PDF document text
- http://www.introspekta.si/ckfinder/ckeditor_uploaded_files/files/lurebadijedaxesiperus.pdfIn PDF document text
- https://gs-hemeringen.de/ablage/userfiles/files/79198280279.pdfIn PDF document text
- http://avs-market.ru/admin/ckfinder/userfiles/files/92716461447.pdfIn PDF document text
- https://premiersuli.hu/files/files/fidosinak.pdfIn PDF document text
- http://uro-medical.pl/zdjecia/fotki/file/73127102154.pdfIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000d70c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD70C | 17796 bytes |
SHA-256: f95c36e79f91f908fb719b207f7a0aa342f04e0f6e1ee53d8c73bc0c9f28fd57 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.