Malicious PDF — malware analysis report

Heuristics 6

• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• Image-heavy PDF with invisible link to suspicious domain high PDF_SUSPICIOUS_LINK_LURE
  PDF is a small image-heavy lure with invisible link annotations that send the user to a suspicious high-risk-domain URI. This matches credential-phishing carriers where the visible document is only a prompt and the real collection flow happens on the linked website.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://resalured.ru/aws?utm_term=keurig+k75+clb%252Fa

  • http://pitushok.space/veneer_eroded_fontoy9ix.pdf
  • https://cdn.sqhk.co/wirowanorax/ig0jgha/moneygram_login_issues.pdf
  • https://cdn.sqhk.co/ramowejub/EhiidBS/kozadute.pdf
  • http://gipogup.sportsontheweb.net/callidae_voces.pdf
  • http://hotloveme.online/what_film_do_you_use_for_polaroid_30008xog.pdf
  • http://posurazatux.mypressonline.com/dudulojibajafuzuwebubap.pdf
  • http://securitycheckingbrowservkcom.xyz/jixowinulapit8kg5x.pdf
  • http://lolkek.xyz/detizisisuligejijeglbh.pdf
  • http://hookup756.fun/9226069703k8i5i.pdf
  • https://cdn.sqhk.co/wowasuperan/eGggGhg/minecraft_1._7_2_full_version.pdf
  • https://cdn.sqhk.co/kobewudojuvo/e4lUhhy/38318227428.pdf
  • http://www.ascendercorp.com/
  • http://www.ascendercorp.com/typedesigners.html
  • https://s3.amazonaws.com/tirimofufemukat/fegabejevukalute.pdf
  • https://e028ba52-6c86-493e-86b7-fecf7cd1c3eb.filesusr.com/ugd/bcb9fd_b55dfabcd0ca43ffa26a188dab6bdda1.pdf?index=true
  • https://s3.amazonaws.com/xeropizuwe/vadanutodibifopovuwufuv.pdf
  • https://4e33067b-0f13-4bed-bb9c-ea95f768fd7c.filesusr.com/ugd/23924c_76d23581f3d146f0a046083b3967ea67.pdf?index=true
  • https://s3.amazonaws.com/xapijifas/nexam.pdf
  • https://s3.amazonaws.com/kufazete/15298611395.pdf
  • https://s3.amazonaws.com/fidefofudi/java_jdk_macos.pdf
  • https://9fbeb193-358d-48fe-b9d9-45f8b63f6b3c.filesusr.com/ugd/ab67b9_90eea866bf2a4b6d969987f8e4205bb7.pdf?index=true
  • https://s3.amazonaws.com/wewiro/buraredokakagosip.pdf
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://scripts.sil.org/OFL

Open this report in the interactive analyzer, or submit your own file for analysis.