Malicious PDF — malware analysis report

Heuristics 5

• ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://pansophers.com/wp-content/plugins/formcraft/file-upload/server/content/files/161636d8d76270---39240373420.pdf

  • http://m-camper.ru/ckfinder/userfiles/files/10783877061.pdf
  • https://dfa-finanz.de/wp-content/plugins/formcraft/file-upload/server/content/files/1613cb717039d9---4363763829.pdf
  • https://agermag.ro/mm/file/69969969702.pdf
  • https://ferest.ro/imagini_ws/lujanilutajevo.pdf
  • https://batdongsandothanh.vn/luutru/files/46169647154.pdf
  • http://lumieye.com/userData/ebizro_board/file/72256790681.pdf
  • https://karolinanowak.com/userfiles/file/lanusafabodawexuge.pdf
  • http://polskienarty.pl/data/aktualnosci_imgs/file/femuwefepixekimujato.pdf
  • https://rugerwafers.com/demo/ruger/beta/userfiles/files/51628258141.pdf
  • http://prunay-en-yvelines.fr/ckfinder/userfiles/files/36920484743.pdf
  • https://414movement.com/wp-content/plugins/super-forms/uploads/php/files/df3593b84db905e651e231f0e146439a/92496463608.pdf
  • https://vico-immobilien.com/ckfinder/userfiles/files/61561173817.pdf
  • http://evrokomplekt.ru/userfiles/file/79284668200.pdf
  • http://nbc.com.vn/ckfinder/userfiles/files/gonimubafokiwaj.pdf
  • http://ayhancevik.com/images_upload/files/52317440001.pdf
  • https://homeaestheticsllc.com/wp-content/plugins/super-forms/uploads/php/files/8eec640a910f1b41e1432f8ead1a73bb/batefawifofafepode.pdf
  • http://trustarshida.co/cache/fck_files/file/33080561822.pdf
  • http://alteredcompta.com/buddha/ckfinder/userfiles/files/98662128573.pdf
  • http://2013.letnifestiwal.pl/ckfinder/userfiles/files/39794810929.pdf
  • http://marcth.pl/media/fck/file/30456429018.pdf
  • https://doctornhospital.com/banglanews24/editorsfiles/files/zegosoxelagi.pdf
  • https://www.elektrobetrieb-scholz.de/wp-content/plugins/formcraft/file-upload/server/content/files/1615963010a24c---83802934140.pdf
  • https://feedproxy.google.com/~r/Gsjc/~3/1hHberoKktI/uplcv?utm_term=how+to+write+a+screenplay+in+google+docs
  • http://dejavu.sourceforge.net
  • http://dejavu.sourceforge.net/wiki/index.php/License

Open this report in the interactive analyzer, or submit your own file for analysis.