Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://seumenha.ru/strik?utm_term=will+there+be+a+monster+vault+2020 PDF link annotation

  • https://cdn-cms.f-static.net/uploads/4366346/normal_604147d3cd4b5.pdfIn PDF document text
  • https://static.s123-cdn-static.com/uploads/4428061/normal_5ffa793fb75e5.pdfIn PDF document text
  • http://mesanezedid.mypressonline.com/29381503472.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4392453/normal_60141f5e5505a.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4449968/normal_603e685edb4a6.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4380395/normal_60140982c71b2.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4497695/normal_602e6e45123d1.pdfIn PDF document text
  • http://www.ascendercorp.com/In PDF document text
  • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
  • https://uploads.strikinglycdn.com/files/1126e97f-405c-4d72-a220-898cd50c971f/40872025072.pdfIn PDF document text
  • http://kikanelomer.onlinewebshop.net/96854972490.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/154183d0-1f7d-4822-bf56-25578ae5da00/barexadit.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/c823971f-f5e3-4ae2-a8ef-a2c63356e1c1/relative_pronouns_worksheet_grade_4.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/9c33f44f-7b7f-442d-b9b5-6c40c39dfda6/calories_in_taco_bell_chicken_power_bowl.pdfIn PDF document text
  • https://3c3a732a-bc26-4be5-bc29-345d3dbc3408.filesusr.com/ugd/63a963_55062b7414dc43c49c125130fe0141c3.pdf?index=trueIn PDF document text
  • http://rexefobixavater.myartsonline.com/computer_hardware_engineer_salary_in_florida.pdfIn PDF document text
  • http://bowegasobufur.myartsonline.com/3889891598.pdfIn PDF document text
  • https://c9977776-9e37-4432-9eae-e541147807da.filesusr.com/ugd/bb6cc6_0ed0d0b6b5084902897931be7a3486a5.pdf?index=trueIn PDF document text
  • https://44f68060-d5e3-4d58-b4e7-e3760392f352.filesusr.com/ugd/49488e_f171af2e3ec849e081c88a4a6a78fad9.pdf?index=trueIn PDF document text
  • https://87164119-88a6-4d6d-a72f-b109cf2d88b9.filesusr.com/ugd/bd0a66_2b4bd069c0964cdebd514e1a888156cc.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/a581318a-f9bb-4c89-b64f-ed01de899aef/are_all_scroll_saw_blades_the_same_length.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/ab26e552-1ffa-464d-9ea7-6d415d7e26eb/rs_means_cost_estimating_training.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/48bdd881-aca6-441a-9ac6-92da72bcec42/32956968159.pdfIn PDF document text
  • https://fa53e508-d88d-41cb-897c-7a5b6f1bfcc3.filesusr.com/ugd/361045_ec0ea3cae7ed47b3ba9eb8cc347a794c.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/8f1b1d7b-5b99-44aa-b160-4e666d6dc1ab/dozedujoluvepag.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/6e9558ff-8b52-41dc-b7e2-67ce62b29133/is_premier_protein_shakes_bad_for_you.pdfIn PDF document text
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://scripts.sil.org/OFLIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.