Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://j1medical.com/uploaded/file/sakegaxilijilir.pdf In PDF document text

  • https://www.andyselfstorage.co.uk/wp-content/plugins/super-forms/uploads/php/files/bbmvrafvda49h8vf3sc27shudc/83671390839.pdfIn PDF document text
  • http://www.onekaddy.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608ec38e65ea8---71322517159.pdfIn PDF document text
  • https://hopefor.today/wp-content/plugins/super-forms/uploads/php/files/f0390ee859fd5cf845619778527f3e88/xawexe.pdfIn PDF document text
  • https://greyquotient.com/wp-content/plugins/super-forms/uploads/php/files/e0da04f46e7329c51f12ba1867169541/jugagavakidadezeg.pdfIn PDF document text
  • https://unitedcardsolutions.com/wp-content/plugins/formcraft/file-upload/server/content/files/160cf059771986---putekizekag.pdfIn PDF document text
  • http://asalsold.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a6fffe92c36---xogupujufekopokikosiwa.pdfIn PDF document text
  • http://www.recetasyconsejos.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608618f8d3f84---39004159333.pdfIn PDF document text
  • https://abeess.com/userfiles/file/88932396902.pdfIn PDF document text
  • http://jimigubellifoundation.org/clients/f/f9/f96c94eea877db95ad0a8b6fd709b1ed/File/42220710657.pdfIn PDF document text
  • https://slavica.ru/wp-content/plugins/super-forms/uploads/php/files/8ab99733ee4745639a31f4ec7e61102b/10914801982.pdfIn PDF document text
  • https://winston-woodward.com/wp-content/plugins/super-forms/uploads/php/files/9e973231b0a4e4481ad1da1f63b4298b/35193167120.pdfIn PDF document text
  • https://asiatravel.kg/wp-content/plugins/super-forms/uploads/php/files/f0d37d628aa42184cd04158990db03d5/59767618037.pdfIn PDF document text
  • https://vmkstroi.ru/wp-content/plugins/super-forms/uploads/php/files/06d1c035cb10d325a140138464b16a11/69775856016.pdfIn PDF document text
  • http://famcareconnect.org/wp-content/plugins/formcraft/file-upload/server/content/files/1607ed1b47da46---vapegatutefevogabe.pdfIn PDF document text
  • http://xn--b1ahhafccpgkb2bxo.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/bd43273f00b64f21514645fe3efb4be8/potigudodarolupoxesaruxap.pdfIn PDF document text
  • http://self119.net/upload/userfiles/2021/07/files/210717123726.pdfIn PDF document text
  • http://infinity-pro.ru/userfiles/file/74605215228.pdfIn PDF document text
  • http://dodici12.ru/wp-content/plugins/super-forms/uploads/php/files/n6aghcj3geb7rnqsu09vtop516/sogezenivebesosim.pdfIn PDF document text
  • https://revapackers.com/wp-content/plugins/super-forms/uploads/php/files/gnjqu4q393oghq5bk1hhho08jq/58701397005.pdfIn PDF document text
  • https://www.medicalart.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/160d67e73757a2---nasakeso.pdfIn PDF document text
  • https://kolodezrus.ru/wp-content/plugins/super-forms/uploads/php/files/d8b7cfcbc3d4b0ed1714ed42f22bb6e5/24558593105.pdfIn PDF document text
  • http://newgrids.com/userfiles/file/40147426370.pdfIn PDF document text
  • https://wscnaturalhealings.com/wp-content/plugins/super-forms/uploads/php/files/74e34a7ba3438487208da3476b29c3f6/40388084685.pdfIn PDF document text
  • https://feedproxy.google.com/~r/Uplcv/~3/PmAiG5ZyT-k/uplcv?utm_term=dry+skin+on+stomach+after+c+sectionPDF link annotation
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://dejavu.sourceforge.netIn PDF document text
  • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.