Malicious PDF — malware analysis report

Heuristics 8

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
  PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• Embedded JS stream low PDF_JS
  PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://ehblending.com/wp-content/plugins/super-forms/uploads/php/files/f349bf5c890d7d965268192f20ff163c/83915578816.pdf

  • http://barrospizzadb.com/uploads/files/faxof.pdf
  • https://414movement.com/wp-content/plugins/super-forms/uploads/php/files/52c4065c584e087461a3042531bab834/gemejis.pdf
  • http://cathyourhair.nl/js/ckfinder/userfiles/files/vatifomot.pdf
  • https://ratco-hardware.com/Ups/files/rovowevifilopuxedasa.pdf
  • https://kidneystonetreatment.in/userfiles/files/gevevumonuronupove.pdf
  • http://104.156.58.56/~web2inbox/wp-content/plugins/formcraft/file-upload/server/content/files/1607eb228ea526---70868970296.pdf
  • http://loca-granderoue-montaletang.com/ckfinder/userfiles/files/32636483769.pdf
  • http://voijin.com/userfiles/files/40689133368.pdf
  • https://www.sacda.org/wp-content/plugins/super-forms/uploads/php/files/g7kiasppnm8vm9i29nm3cv6u13/53652164446.pdf
  • https://www.expoagrogto.com/wp-content/plugins/super-forms/uploads/php/files/ookj17k8jisobqobetbjf5b4t5/21419337835.pdf
  • https://arenda1s.ru/wp-content/plugins/super-forms/uploads/php/files/eca3b391829d8c4bbf89679f35225311/42972545970.pdf
  • https://njsolarpower.com/wp-content/plugins/super-forms/uploads/php/files/83ca8721c5d05fb59e659928f40acd16/pozapikazujukawisirumesu.pdf
  • http://www.expertnutritionadvisor.com/wp-content/plugins/formcraft/file-upload/server/content/files/16072ab692e00a---73993542980.pdf
  • https://bandotrading.it/uploads/file/padexasej.pdf
  • http://www.majoriscambio.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160c93fa453266---nudokegeniko.pdf
  • https://beautifullifeuk.com/wp-content/plugins/super-forms/uploads/php/files/298584f038e3d497f3bd41915a201b4e/jopaxokasuwozikoz.pdf
  • https://www.havanasalsa-dance-tours.com/wp-content/plugins/super-forms/uploads/php/files/714cf449cc0aee8b68d25770101ef5ec/79085596449.pdf
  • https://choiceenergynetwork.com/wp-content/plugins/super-forms/uploads/php/files/85531a5e281563b4cb3cd595e98cd840/faniwuledogemuga.pdf
  • http://www.fullmooneye.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608ce3fa10c98---11580226185.pdf
  • http://payassistinc.com/wp-content/plugins/formcraft/file-upload/server/content/files/16089753375946---74018386450.pdf
  • https://www.gasserbush.com/wp-content/plugins/super-forms/uploads/php/files/38789701e8f1b562eff47722afec4d77/56387420993.pdf
  • https://feedproxy.google.com/~r/Uplcv/~3/GLLx1DTH0VQ/uplcv?utm_term=the+first+antitrust+law+to+include+a+provision+prohibiting+price+setting+and+price+discrimination+was+the
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://dejavu.sourceforge.net
  • http://dejavu.sourceforge.net/wiki/index.php/License

Open this report in the interactive analyzer, or submit your own file for analysis.