Malicious PDF — malware analysis report

Heuristics 7

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• Urgency / deadline lure low SE_URGENCY_LURE
  Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://pelibifir.ru/strik?utm_term=how+to+get+your+kitten+spayed+for+free PDF link annotation

  • http://mozaduz.mygamesonline.org/98798204987.pdfIn PDF document text
  • http://tuwasukam.getenjoyment.net/jujul.pdfIn PDF document text
  • http://fuvesozufinefi.medianewsonline.com/imbalanced_nutrition_care_plan_for_elderly.pdfIn PDF document text
  • http://kazexajisodibu.medianewsonline.com/31405672574.pdfIn PDF document text
  • http://milatepe.medianewsonline.com/blank_spelling_test_sheet.pdfIn PDF document text
  • http://lodomujimujug.mywebcommunity.org/69114822408.pdfIn PDF document text
  • http://zonerokemub.getenjoyment.net/37355780069.pdfIn PDF document text
  • http://wotedogupowu.sportsontheweb.net/tisujakakivifup.pdfIn PDF document text
  • http://xevusezes.medianewsonline.com/cutting_tools_types.pdfIn PDF document text
  • http://tezuveripoxub.mypressonline.com/30530208282.pdfIn PDF document text
  • http://www.ascendercorp.com/In PDF document text
  • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
  • http://www.daltonmaag.com/In PDF document text
  • https://f05e0dbb-21cf-40ea-8b71-00b8d6f49a3b.filesusr.com/ugd/b09e1d_99a47df1a3e04f98a068007fb670902a.pdf?index=trueIn PDF document text
  • https://d12e84a0-9808-45da-82c6-613dfe540d1b.filesusr.com/ugd/dc8a8e_464ffd0aa8664dbf9e0649a7ef4d6a78.pdf?index=trueIn PDF document text
  • https://db22a0a0-c6c8-4eb9-9878-037c50d93224.filesusr.com/ugd/e2b5b3_4ccd85b6ea1c4c82910f46b89f8b4224.pdf?index=trueIn PDF document text
  • http://bekusisit.atwebpages.com/realtek_hd_audio_driver_windows_7_dell.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/fe47dbd7-38aa-4b3e-bf16-475f4c788a6e/pasos_de_una_misa_catolica.pdfIn PDF document text
  • https://54a0e2cb-796f-4f80-9aaf-d11633176b06.filesusr.com/ugd/b0c554_533a180a9a2d4c14862befdd74a7cd42.pdf?index=trueIn PDF document text
  • http://lesidiwajenowil.myartsonline.com/63374994228.pdfIn PDF document text
  • https://dbba0f06-1911-40f0-8c80-a2638c7f81cc.filesusr.com/ugd/b13fd1_2c1869c0d7f2475e89747611c5ab02fd.pdf?index=trueIn PDF document text
  • http://bifovigavij.myartsonline.com/the_oxygen_thief_audiobook_free.pdfIn PDF document text
  • https://dfa52777-3edb-460f-9b14-ca5101cd4ecc.filesusr.com/ugd/5360f8_2022eee14f9a40c5a18ebe011878baeb.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/61685d93-ea60-4e2b-a88e-2e6a7bc9a5f2/how_to_change_transmission_fluid_focus_st.pdfIn PDF document text
  • http://zalatikewal.atwebpages.com/renaissance_period_art.pdfIn PDF document text
  • https://7f1d4f38-7308-4051-b389-b8ed31312188.filesusr.com/ugd/e948c1_fe41650ffa9c4d4ba22258fb5e8a862d.pdf?index=trueIn PDF document text
  • https://1ce8651a-bfbb-4b9a-b1bf-24b3b574775a.filesusr.com/ugd/ac72e0_4b8e7fcd721e4f66acad4b79bceea8ed.pdf?index=trueIn PDF document text
  • https://8dac4d01-2cd1-45d2-8b5f-6005f802adc9.filesusr.com/ugd/1f96ce_e352b71636af4b2fb0c62ffdbabd042f.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/952a5434-bc06-417f-bdb6-0c9a8d98410a/hotpoint_gas_cooker_dsg60k.pdfIn PDF document text
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://scripts.sil.org/OFLIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.