MALICIOUS
124
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
The sample is identified as a PDF containing a link farm, with many URLs pointing to compromised WordPress upload directories. ClamAV detection further confirms its malicious nature, classifying it as a phishing trojan. The primary attack pattern involves luring users to click on these links, likely leading to further malicious content or exploitation.
Machine Learning
- Nyx PDF Classifier suspicious score 0.3518
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://leap-egypt.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c100df6ceb6---kabopogujezimizelekuke.pdf In PDF document text
- https://archcosmeticstudio.com.au/wp-content/plugins/super-forms/uploads/php/files/c4ab28eedae0c04c4bdd07db7759848d/goxisedurapinozuvimejit.pdfIn PDF document text
- http://www.rlktechniek.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160a95a11538ff---penisobulitexuwegopubol.pdfIn PDF document text
- https://www.sesc.com.ua/wp-content/plugins/super-forms/uploads/php/files/3k80d0egqh4b210asjiqhd1hi7/zulovovubilaporexurag.pdfIn PDF document text
- http://portalcom-b2b.es/img/user///file/_0738756001624487222.pdfIn PDF document text
- http://dothi.info/images/files/59783052288.pdfIn PDF document text
- https://micsys.in/userfiles/file/18613546234.pdfIn PDF document text
- http://apsons.eu/files/file/82237557912.pdfIn PDF document text
- http://kasystemofkarate.com/clients/861259/File/desogirokuvizemijubume.pdfIn PDF document text
- https://123kozijnofferte.nl/wp-content/plugins/super-forms/uploads/php/files/blv53egcc6krdpauibhgks4gg0/remer.pdfIn PDF document text
- https://rosemonttherapy.health/wp-content/plugins/super-forms/uploads/php/files/cqbao2kuvtfo60quot8n2uc59u/58360410762.pdfIn PDF document text
- https://k-kompany.ru/wp-content/plugins/super-forms/uploads/php/files/8d6f671824fb380243caade09df5b825/libivutape.pdfIn PDF document text
- https://adiwirawanbali.com/wp-content/plugins/super-forms/uploads/php/files/aaa35ff3e7f0a3e305f234782189819a/61018080996.pdfIn PDF document text
- http://alemotta.com/resources/original/file/pixamokovuzenu.pdfIn PDF document text
- https://yarsan.ru/wp-content/plugins/super-forms/uploads/php/files/aada1d9e98888aef51bbf7b02d0eb8dc/tidilozobilefivavalof.pdfIn PDF document text
- http://hellnocancershow.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609d68519f217---72971602379.pdfIn PDF document text
- https://webmodels.studio/wp-content/plugins/formcraft/file-upload/server/content/files/160871bce07507---tofanijix.pdfIn PDF document text
- http://mini-garden.ru/userfiles/file/68743575521.pdfIn PDF document text
- http://baharemadinah.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606d645161c60---85954068301.pdfIn PDF document text
- https://detmers-kontejner.hr/files/52775343886.pdfIn PDF document text
- https://www.kiteschule-kiel.de/wp-content/plugins/formcraft/file-upload/server/content/files/1608f498f6092c---bosav.pdfIn PDF document text
- http://www.barankayalar.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/160ad87aebd012---kufesogesajatogek.pdfIn PDF document text
- http://boulderdivorcelaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/160940a6365901---wubofuzinisesutez.pdfIn PDF document text
- http://vipavtoufa.ru/wp-content/plugins/super-forms/uploads/php/files/d30d40c95f083086abc0e9861f5ec70e/68141712314.pdfIn PDF document text
- https://vsetinrally.cz/userfiles/file/bugekepekubosujejubam.pdfIn PDF document text
- https://teplitsyoptom.ru/wp-content/plugins/super-forms/uploads/php/files/dc8815b442ca7ebc2da675419a4b4c82/sexavu.pdfIn PDF document text
- https://feedproxy.google.com/~r/skout/mBVl/~3/BkSY9tpko7c/uplcv?utm_term=strictly+come+dancing+sundayPDF link annotation
Open this report in the interactive analyzer, or submit your own file for analysis.