MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF file contains numerous embedded links, many of which point to compromised WordPress sites and disposable hosting. ClamAV detected this file as Pdf.Phishing.Trojan, indicating a phishing or trojan distribution attempt. The heuristic findings suggest the file is a link farm designed to redirect users to malicious content, likely for phishing or malware delivery.
Machine Learning
- Nyx PDF Classifier suspicious score 0.4417
Heuristics 6
-
ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILEDThe cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://wjvanderheidedienstverlening.nl/uploads/file/kupomalopupepo.pdf In PDF document text
- https://divorcioconsensual.com.br/wp-content/plugins/super-forms/uploads/php/files/c32c97eb42eeb9658bf98846a638f804/78014280214.pdfIn PDF document text
- http://burchiellati.com/file_fck/file/72694270195.pdfIn PDF document text
- https://www.keystonecare.co.uk/wp-content/plugins/super-forms/uploads/php/files/eda385234bd4d5ee09fe17d7f9d79706/titakekawokumevugukegopew.pdfIn PDF document text
- http://xn----8sbxab3abskk3a2j.xn--p1ai/media/file/moladipiv.pdfIn PDF document text
- https://sardavetri.it/userfiles/file/50103579602.pdfIn PDF document text
- https://paklya.su/design/img/upload/file/dazowufegosepalajo.pdfIn PDF document text
- https://dongytueduc.com/wp-content/plugins/super-forms/uploads/php/files/vpv35i15dfh812sg7e8o6k5qcu/1935356050.pdfIn PDF document text
- http://muskogeeroughers1967.com/clients/9/98/9899c641331876fb313f08ec475a0443/File/jorofanarujakimupidore.pdfIn PDF document text
- https://mcitalianwine.com/file/14986103390.pdfIn PDF document text
- http://www.melodypods.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607c0f5b4a0a4---814204660.pdfIn PDF document text
- https://markzone.az/wp-content/plugins/super-forms/uploads/php/files/is9cbibfs95d1s28eos65125n2/25017033776.pdfIn PDF document text
- https://nnt52.ru/userfiles/file/lokine.pdfIn PDF document text
- https://spazmedia.com/wp-content/plugins/formcraft/file-upload/server/content/files/160de10674fb61---zubevuperelako.pdfIn PDF document text
- http://training-solutions.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160bccf170452c---vibol.pdfIn PDF document text
- https://amiablediamonds.com/wp-content/plugins/super-forms/uploads/php/files/6d52baf51430d4d62729212254ad3474/48298052351.pdfIn PDF document text
- http://agisma.ru/files/pages/files/vepiretaxaf.pdfIn PDF document text
- https://airflow-skateboards.com/upload/file/lonaxigilewoge.pdfIn PDF document text
- https://sportcity.bg/webroot/img/content/files/99166899887.pdfIn PDF document text
- https://moma-restaurant.com/wp-content/plugins/formcraft/file-upload/server/content/files/160cb98275e503---68129162290.pdfIn PDF document text
- https://rhythmcprandfirstaid.com/wp-content/plugins/super-forms/uploads/php/files/7edc25941fcdb1992b20c8af6e7a84ae/2108262775.pdfIn PDF document text
- https://flylights.pl/wp-content/plugins/super-forms/uploads/php/files/ldd8ruo0ki5fi91m448g117qda/rutabisatu.pdfIn PDF document text
- http://spain-ex.com/images/blog/file/tazajazuzavolezulazipile.pdfIn PDF document text
- https://accesoriosalmayor.com/images/userfiles/file/pukowivej.pdfIn PDF document text
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/1KS0DP0cxss/uplcv?utm_term=creatinina+alta+tratamiento+pdfPDF link annotation
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000cca4.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xCCA4 | 16792 bytes |
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
|||
font_01_sfnt_off0000e4bb.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE4BB | 10520 bytes |
SHA-256: ed07ebc402761d100f0fb42ccbada9728ce747df3c09b3ab257bfc1a3c8b008f |
|||
font_02_sfnt_off0000fc95.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFC95 | 20028 bytes |
SHA-256: e59ff2650e0a0e144535184c098529f424ad395d826173e26a08a2a1300f0458 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.