Malicious PDF — malware analysis report

Heuristics 5

• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://dafemum.ru/aws?utm_term=the+witcher+3+ps4+guide+pdf

  • https://lilonukile.weebly.com/uploads/1/3/4/7/134767916/nekojobajegine-nirexe-wexoziwutasisar.pdf
  • http://tuzazigigub.iblogger.org/xusixefegeduw.pdf
  • http://www.ascendercorp.com/
  • http://www.ascendercorp.com/typedesigners.html
  • https://uploads.strikinglycdn.com/files/c3fb4736-5a6d-41ba-91e5-b52f6c695b64/metal_gear_solid_2_sons_of_liberty_walkthrough_part_1.pdf
  • https://79f67b98-100a-41ac-8a2f-4880133f117e.filesusr.com/ugd/f12c90_216e48070fe04d31a2ba4db168c6b4b6.pdf?index=true
  • http://pixagikaw.epizy.com/beat_bongo_fleva.pdf
  • https://s3.amazonaws.com/napoledunadigo/51796742538.pdf
  • https://a49aa754-465e-4bbd-924e-b3d0e7b66bd4.filesusr.com/ugd/81d6a4_5b04e6269ca84bcab26fa8f4a7d4573b.pdf?index=true
  • https://s3.amazonaws.com/dugibabafod/mozilla_firefox_49._0._2.pdf
  • https://uploads.strikinglycdn.com/files/ca1cd868-6e81-40d3-9758-29817314854d/demigopa.pdf
  • https://s3.amazonaws.com/lakujusitejojet/85557904899.pdf
  • https://uploads.strikinglycdn.com/files/3bfcb4c2-2077-4156-a080-1e5b79b91510/georges_marvelous_medicine_movie.pdf
  • https://uploads.strikinglycdn.com/files/cbe4da2b-fb37-4c9c-851c-e2ad7d9f4251/fosasavafebubatowoz.pdf
  • http://tavaxovowewut.rf.gd/87814296190.pdf
  • https://uploads.strikinglycdn.com/files/b8777fd4-834d-4513-8d88-c5d306dac21b/shark_navigator_swivel_pro_vs_lift_away.pdf
  • https://uploads.strikinglycdn.com/files/b2d1003c-1493-43ab-b1b0-0695be539096/metal_gear_solid_v_the_phantom_pain_gameplay_time.pdf
  • https://s3.amazonaws.com/lulelepese/absolute_fout_berekenen_formule.pdf
  • https://6d251753-49d0-4f5b-a278-10ed1cacc9d0.filesusr.com/ugd/5c139a_b768f2d5184f457e8130ef014b10ba5f.pdf?index=true
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://scripts.sil.org/OFL

Open this report in the interactive analyzer, or submit your own file for analysis.