Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://jacksth.ru/strik?utm_term=brother+mfc+495cw+printer+wireless+setup PDF link annotation

  • https://fotagajumiveba.weebly.com/uploads/1/3/1/4/131411987/begasiwajasimud.pdfIn PDF document text
  • https://juvumumirogo.weebly.com/uploads/1/3/5/3/135313675/wemopa_remufoboragelu_lesal.pdfIn PDF document text
  • https://fupebabo.weebly.com/uploads/1/3/4/6/134601971/buforuxafi.pdfIn PDF document text
  • https://xojovirasada.weebly.com/uploads/1/3/1/6/131637125/mevaf.pdfIn PDF document text
  • https://xapeposatu.weebly.com/uploads/1/3/1/4/131437079/b11dd814ef45.pdfIn PDF document text
  • https://tegipogelow.weebly.com/uploads/1/3/1/4/131407588/jewezofitirive.pdfIn PDF document text
  • https://pomapufawupufus.weebly.com/uploads/1/3/5/3/135397804/dadotaxid_mejasur_tabenisowisusa_vomuguzavimow.pdfIn PDF document text
  • https://mabalavorejeg.weebly.com/uploads/1/3/4/7/134769590/dcb4856f6c4e9.pdfIn PDF document text
  • https://rixotojar.weebly.com/uploads/1/3/0/9/130969533/bomaduvava-dagejafagoji-jepofuvafevefas.pdfIn PDF document text
  • https://vejejalerejoji.weebly.com/uploads/1/3/4/6/134600164/9278630.pdfIn PDF document text
  • http://www.ascendercorp.com/In PDF document text
  • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
  • https://7e6b698e-d56f-4a21-8c48-787e2f6d39f4.filesusr.com/ugd/7836c9_7c98c695960b4cb7b11d2f20a9ee53cb.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/c54737d2-8296-414f-b545-d3fa6d895955/12665640892.pdfIn PDF document text
  • https://86a9da1b-0b57-4b35-a77a-523886b904cd.filesusr.com/ugd/0d9a50_a835fc8074be491a94ea84abdcdb2b31.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/f9b762dc-7d14-4336-9aef-e5d6f3f92d45/gunosepotapetuzunu.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/8adba6d2-6573-42be-825c-545738dddb79/marketing_plan_process_steps.pdfIn PDF document text
  • https://6b52f5a6-db44-4d3e-8337-ab33c729cb13.filesusr.com/ugd/f4de5e_3d20881d2a0246b596117972c9835088.pdf?index=trueIn PDF document text
  • https://a0f1d9c0-ea46-4e0e-9383-d87711d3127f.filesusr.com/ugd/1e3fb7_db36c9c88a2a48228af1b805abb5fb7d.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/5417e843-9d6d-4632-98d7-df65e4e64cf6/fologalofujurumo.pdfIn PDF document text
  • https://a9864912-ad24-422b-99f3-2d90f7703507.filesusr.com/ugd/d6af85_9b6ec72db99a4242b020dbe451ba9e4a.pdf?index=trueIn PDF document text
  • https://64b67c6e-fbbd-4787-add8-9ed3e274c95c.filesusr.com/ugd/eb6612_748c0f8e51334719b10386ddcdbec047.pdf?index=trueIn PDF document text
  • https://fe2b84af-b373-48e0-a714-f820169e3fe9.filesusr.com/ugd/ed1d2e_5940ae333ad348edab58f5c344b91260.pdf?index=trueIn PDF document text
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://scripts.sil.org/OFLIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.