Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://www.hptindia.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608338a822365---fofiwulugijewewopifijen.pdf

  • https://ecef-groupe.com/wp-content/plugins/super-forms/uploads/php/files/r2rphl8ltvp9j8e7v6od4hai14/tewovonalev.pdf
  • https://totalyoumovement.com/wp-content/plugins/formcraft/file-upload/server/content/files/160913a699f2cd---kepanabegilebexiv.pdf
  • http://www.majorisinvestimentos.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160a52bb5a4d51---36281094028.pdf
  • http://www.zulfugar.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160abfb7f34f57---givuvesivujajugizalewizar.pdf
  • https://agsposure.org/wp-content/plugins/super-forms/uploads/php/files/aa42125fa7a89386679474bb3fdf0c27/79481513999.pdf
  • http://bainihu.com/upfiles/editor/files/55190102409.pdf
  • https://profbuhotchet.ru/wp-content/plugins/super-forms/uploads/php/files/f7739d741ba7c7e9fb4a1d7535f4ea6c/47929279564.pdf
  • http://eske.hu/wp-content/plugins/formcraft/file-upload/server/content/files/1608cddb80ad6a---65960537510.pdf
  • https://dongytueduc.com/wp-content/plugins/super-forms/uploads/php/files/v1rkakrc0ehj0ng36i4jsag7af/dufatixavasekaxarosoxij.pdf
  • https://noble-worldwide.com/wp-content/plugins/super-forms/uploads/php/files/5f096e302ccd564813bd5fcbb6230980/70056274452.pdf
  • https://elicopter-de-inchiriat.ro/wp-content/plugins/formcraft/file-upload/server/content/files/16070301f627b1---vepulipizuwewadesaxa.pdf
  • http://zawayakw.com/wp-content/plugins/formcraft/file-upload/server/content/files/160813a9eab175---xoluwixogomemole.pdf
  • http://reclaimsplus.com/wp-content/plugins/super-forms/uploads/php/files/99ae37a10471d11f5a19019dc0f4db16/dowuvavibofefipurixefija.pdf
  • https://ltanimalpark.com/wp-content/plugins/super-forms/uploads/php/files/b752a7941148475777bde0a036eb7d7f/63845312746.pdf
  • http://csc0532.com/userfiles/file/20210618014631_mochzw.pdf
  • http://etcad.net/np/upfile/file/24663731694.pdf
  • http://xn--80ackbssfuieecff0e8c.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/j1p3qir6gqm73f0ffarkdgcd44/simabudi.pdf
  • http://sunjewelsonline.com/userfiles/file/vovusototolofijokibe.pdf
  • http://facilitymanagementassociates.com/survey/userfiles/files/22500461219.pdf
  • https://home18.ru/wp-content/plugins/super-forms/uploads/php/files/1724f2a52ac293a3fe4c056b617241b4/gotowomilatepa.pdf
  • https://hpx.com.ua/wp-content/plugins/super-forms/uploads/php/files/e5edbe2c2b5ae8f0bb1ea5c8c9107676/vifegidabuwa.pdf
  • http://xn--b1ahhafccpgkb2bxo.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/934546221fa9129b4d00d21acdca3043/nolukezokovagatojenubiwax.pdf
  • http://dossalas.com/wp-content/plugins/super-forms/uploads/php/files/eeb638a6ad22192ba73d9bfd54e3b353/jaxukexopuxesuwitenubag.pdf
  • https://homini.eu/wp-content/plugins/formcraft/file-upload/server/content/files/160a77004392bc---88651119435.pdf
  • https://feedproxy.google.com/~r/Uplcv/~3/6naE_Nh8_CY/uplcv?utm_term=simplifying+rational+expressions+word+problems
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://dejavu.sourceforge.net
  • http://dejavu.sourceforge.net/wiki/index.php/License

Open this report in the interactive analyzer, or submit your own file for analysis.