MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
This PDF file was flagged by multiple heuristics as malicious, including a critical ClamAV detection for Pdf.Phishing.Trojan. The file functions as a link farm, containing numerous embedded URLs that point to compromised WordPress upload directories. These links likely serve as a distribution point for phishing content or further malware.
Machine Learning
- Nyx PDF Classifier malicious score 0.5273
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.kissdocs.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160a3ed5bb07c1---421061773.pdf In PDF document text
- http://for-rent-leuven.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609a97f682425---domedivimozijovum.pdfIn PDF document text
- http://bulongvungtau.com/media/ftp/file/sasudekirewosibipoxogama.pdfIn PDF document text
- https://spectrumohio.com/wp-content/plugins/super-forms/uploads/php/files/dd59a233b067e6cb461126cecf7972e3/wewugososalavunulazunej.pdfIn PDF document text
- http://axiomestates.com/userfiles/file/28564810375.pdfIn PDF document text
- http://www.davidwoodpersonnel.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a93da453263---sesira.pdfIn PDF document text
- http://matchonusa.com/uploads/files/nibasepukilitok.pdfIn PDF document text
- https://alphacleanwashing.com/wp-content/plugins/super-forms/uploads/php/files/cb384de9da704e6c5defb06d24f1f68b/jekisivokagorobese.pdfIn PDF document text
- https://tepihtrava.rs//files/54377006894.pdfIn PDF document text
- https://acethamessecurity.co.uk/wp-content/plugins/super-forms/uploads/php/files/a4ecc93c0ae0da442b68df34e043b300/sopul.pdfIn PDF document text
- http://www.viksexteriors.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609cc1acba727---ropedi.pdfIn PDF document text
- http://aexpress.lv/index/images/up/file/wulitokupagipirarexanenef.pdfIn PDF document text
- http://www.petersmetalstitching.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/16088ae6a088f1---dibuj.pdfIn PDF document text
- http://sambometal.com/dataroom/file/3450994538.pdfIn PDF document text
- http://recruiters-zone.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607f240e70a75---vewavelivopinetomofix.pdfIn PDF document text
- http://artmetinc.com/wp-content/plugins/formcraft/file-upload/server/content/files/16073853d96c70---82982692775.pdfIn PDF document text
- http://www.sport-konyv.hu/userfiles/file/lebunanuxemerop.pdfIn PDF document text
- http://dichvuketoansg.com/luutru/files/sujupebazevulovisokozoxi.pdfIn PDF document text
- http://famcareconnect.org/wp-content/plugins/formcraft/file-upload/server/content/files/160fa5fa36f8c8---34532932852.pdfIn PDF document text
- http://www.vivelamusica.es/wp-content/plugins/formcraft/file-upload/server/content/files/1606d331cf27e8---89657108489.pdfIn PDF document text
- https://www.hed-endo.hr/wp-content/plugins/formcraft/file-upload/server/content/files/160a24e43d7dea---59032626617.pdfIn PDF document text
- http://www.thebetterinsurance.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607ef9d80ceb8---426592966.pdfIn PDF document text
- https://feedproxy.google.com/~r/Uplcv/~3/zMnd8XtcwSM/uplcv?utm_term=seventh+day+adventist+baptismal+certificate+pdfPDF link annotation
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000121c4.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x121C4 | 17332 bytes |
SHA-256: e7cbf2d79508c49daa5ea1978f73fe67ade6e4bc7b3dc39331e15302a60b2192 |
|||
font_01_sfnt_off00014ee5.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x14EE5 | 16792 bytes |
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.