Malicious PDF — malware analysis report

Heuristics 4

• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://lozipotod.ru/123?utm_term=calligraphy+handwriting+practice+sheets

  • https://static.s123-cdn-static.com/uploads/4465267/normal_5ff086818274c.pdf
  • https://cdn.sqhk.co/bularalunop/eJFcjih/jorukumekasoselukulitoje.pdf
  • https://static.s123-cdn-static.com/uploads/4371812/normal_5fcebdec62fbe.pdf
  • https://cdn-cms.f-static.net/uploads/4379605/normal_602f15dd015ed.pdf
  • https://cdn-cms.f-static.net/uploads/4383470/normal_604169b929556.pdf
  • http://nujilotadotila.iblogger.org/logivuwaxugopa.pdf
  • https://cdn.sqhk.co/suxevevagova/hehjEgi/navukavavovafe.pdf
  • https://cdn-cms.f-static.net/uploads/4492286/normal_60568fe8279b7.pdf
  • https://cdn-cms.f-static.net/uploads/4385436/normal_600ba500c47d4.pdf
  • https://cdn-cms.f-static.net/uploads/4414176/normal_60468316122c1.pdf
  • https://static.s123-cdn-static.com/uploads/4454543/normal_5fc5d95a0d385.pdf
  • https://static.s123-cdn-static.com/uploads/4403806/normal_5fc5d85bd59ed.pdf
  • https://cdn.sqhk.co/munenetifu/gcggggV/lejukiz.pdf
  • https://cdn.sqhk.co/juwasakekeja/EjhXDBi/supreme_stick_fight_mod_apk.pdf
  • http://www.ascendercorp.com/
  • http://www.ascendercorp.com/typedesigners.html
  • https://aca292c6-a3ee-4c96-b4c9-db15c8eca1b9.filesusr.com/ugd/cd1d52_b413587dfa29458d84546ccb0c324c48.pdf?index=true
  • http://gopuvobapeten.rf.gd/alt_codes_table.pdf
  • https://3dd85f33-233b-4b3c-8e53-142bc8307eec.filesusr.com/ugd/8df890_a552ebce0680484c979ecc2b0bc6345f.pdf?index=true
  • http://pevobipokuxatis.rf.gd/carol_ann_duffy_poems.pdf
  • http://muxawij.rf.gd/nojuluxubolelaso.pdf
  • https://uploads.strikinglycdn.com/files/9159d8b2-5c39-4a4f-bae2-c97b145dc05f/english_language_school_near_me.pdf
  • https://uploads.strikinglycdn.com/files/321aec3b-8c67-4d0d-9128-5d8590a358ee/what_is_the_best_hamilton_beach_single_serve_coffee_maker_walmart.pdf
  • https://uploads.strikinglycdn.com/files/f314479e-9522-4c02-9834-ea1ea0e0a5fd/kubota_v1505_engine_hp.pdf
  • https://bcbc83ff-a82b-4234-bf1d-c69e8cae54d5.filesusr.com/ugd/057c82_7260e34740db4a38900833b0cd6d05eb.pdf?index=true
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://scripts.sil.org/OFL

Open this report in the interactive analyzer, or submit your own file for analysis.