Malicious PDF — malware analysis report

Heuristics 7

• ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
• Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
  Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160abb5a493432---23503672993.pdf

  • http://stopasbestos.ca/wp-content/plugins/formcraft/file-upload/server/content/files/16095f0cad7415---31361018006.pdf
  • http://www.predoisiasociatii.ro/wp-content/plugins/formcraft/file-upload/server/content/files/16073a9e8b6f94---vatura.pdf
  • http://manufim.co.il/wp-content/plugins/formcraft/file-upload/server/content/files/1606f3d967344c---24226384329.pdf
  • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609a31be27550---jojuxoboditilawekeligusi.pdf
  • https://www.andrecampbell.ca/wp-content/plugins/super-forms/uploads/php/files/b508e868bee5d0f0145b5b0593ee1ded/lobajevufesi.pdf
  • https://agronlogistics.com/userfiles/files/51045617551.pdf
  • https://saftanton.dk/wp-content/plugins/formcraft/file-upload/server/content/files/160a3670fa87eb---xowefexexowudagunejujila.pdf
  • https://www.harnoordesigns.com/wp-content/plugins/super-forms/uploads/php/files/1ntaapl5o8829j75n8lgd7seq7/39262690981.pdf
  • https://www.chartsunlimited.com.ph/wp-content/plugins/formcraft/file-upload/server/content/files/160ae61fbd0252---55347249321.pdf
  • http://timatey.kz/wp-content/plugins/super-forms/uploads/php/files/534g6dj13i6jbv9r76l340km72/91450060865.pdf
  • http://www.yourhealthyourchoice.org/wp-content/plugins/formcraft/file-upload/server/content/files/16075935eade3a---108682528.pdf
  • http://artecgroupservices.com/imagenes/file/rijelafegoli.pdf
  • http://amtusa.com/wp-content/plugins/formcraft/file-upload/server/content/files/160796c1362879---beburufoxepuzoxewo.pdf
  • https://eclipsetheaters.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a1353b92e9b---nojojunevuzesitazen.pdf
  • http://osrclass1967.com/clients/8/84/84e84eb3bb32f45446e669e24fea3ebc/File/gorikasadakotofu.pdf
  • http://www.nandomoraes.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160774e306dd60---jadipisumojusanajopek.pdf
  • https://ascinfratech.com/clientprojects/trading/file/mixedediv.pdf
  • https://pinotcar.com/wp-content/plugins/super-forms/uploads/php/files/70c0cd1b27b7673a9fa4316279ea981d/panuw.pdf
  • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/GLLx1DTH0VQ/uplcv?utm_term=financial+customer+internal+business+process+learning+and+growth
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://dejavu.sourceforge.net
  • http://dejavu.sourceforge.net/wiki/index.php/License

Open this report in the interactive analyzer, or submit your own file for analysis.