MALICIOUS
154
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The PDF contains numerous external links, many hosted on compromised CMS platforms or disposable domains, suggesting a phishing or malware distribution attempt. The ClamAV detection and ML classifier strongly indicate malicious intent. The presence of multiple links pointing to potentially malicious PDFs and a URL with a 'how to activate office' query reinforces the phishing lure.
Machine Learning
- Nyx PDF Classifier malicious score 0.6455
Heuristics 5
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://smidgel.ru/uplcv?utm_term=how+to+activate+office+2016+using+kmspico PDF link annotation
- https://tocgia247.com/wp-content/plugins/super-forms/uploads/php/files/knfn1v04qktbv6g77v0su1ab34/61969535098.pdfIn PDF document text
- https://zemiigori.com/uploads/file/ziduribatuluvuzowi.pdfIn PDF document text
- http://for-rent-aalst.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b3a92e8bf47---12676562153.pdfIn PDF document text
- http://gps-ambroisie.com/ressource/site-image/files/sofufawelinejeni.pdfIn PDF document text
- https://emmaushuis.org/pages/53175383343.pdfIn PDF document text
- http://bannermaul.com/userData/board/file/13591847926.pdfIn PDF document text
- https://amkboiler.com/wp-content/plugins/super-forms/uploads/php/files/1orjmjiok961c1bdjf3onmpi8s/nizuxozibup.pdfIn PDF document text
- http://maszyny.pl/userfiles/file/jovuf.pdfIn PDF document text
- https://brandonsmilesdentistry.com/wp-content/plugins/super-forms/uploads/php/files/h5qr57mjtdt882rpqa1q953p15/butenifofuvuf.pdfIn PDF document text
- http://grandchainfamilyfoundation.org/clients/85333/File/litamujo.pdfIn PDF document text
- http://xn--12cbg9dihj7egda2g6a7dceb1d2cp4nvgf4f.com/datas/files/76082201454.pdfIn PDF document text
- https://travelselection.us/wp-content/plugins/formcraft/file-upload/server/content/files/160a94062eeaa2---53008329161.pdfIn PDF document text
- https://teenvolunteer.org/wp-content/plugins/super-forms/uploads/php/files/dd9ed115917f8ec938d77d0fc442df20/48481227190.pdfIn PDF document text
- https://indikino.com/ckfinder/userfiles/files/99180104429.pdfIn PDF document text
- http://yngc.ru/admin/ckfinder/userfiles/files/lizesasulavuronop.pdfIn PDF document text
- https://www.physioaktivkramer.de/wp-content/plugins/formcraft/file-upload/server/content/files/160a8f482d8ee8---67468978515.pdfIn PDF document text
- https://aldea.work/wp-content/plugins/super-forms/uploads/php/files/c02e25c627f3f713d471506ea4908929/41569246380.pdfIn PDF document text
- https://mercedesmazo.es/wp-content/plugins/formcraft/file-upload/server/content/files/160f0eede5a1a7---sixedujasedawofavipez.pdfIn PDF document text
- https://wotfiles.com/ckfinder/userfiles/files/48781458606.pdfIn PDF document text
- https://www.caesarstravel.com/wp-content/plugins/formcraft/file-upload/server/content/files/160873de018424---89039434862.pdfIn PDF document text
- https://southtours.com/wp-content/plugins/super-forms/uploads/php/files/t2v787gaum3slgmif28cp3dhcs/pedesixotimamobofogo.pdfIn PDF document text
- http://aleeblog.com/wp-content/plugins/super-forms/uploads/php/files/7t933fjfc2cjq4o1av7aok3fb7/pekareleluzumafesudog.pdfIn PDF document text
- http://www.mondzorgvesa-voorschoten.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1609b7dd68a8c8---67162831797.pdfIn PDF document text
- https://adbadog.com/wp-content/plugins/super-forms/uploads/php/files/324d56aa783677c6f105affe365142e7/rozokedog.pdfIn PDF document text
- https://postscriptproductions.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b9c8d8a6f23---rubozuzaz.pdfIn PDF document text
- http://contelex.it/userfiles/files/robejobosarisikopumunizen.pdfIn PDF document text
- http://portalinmobiliario24.com/uploades/fckeditorfile/27541189869.pdfIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00010328.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10328 | 17576 bytes |
SHA-256: c2474affb8713780bf5a2b0372d493f976425fc075cd72c458dc68aa5ac230b6 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.