Malicious PDF — malware analysis report

Heuristics 6

• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
  Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://vilenefex.ru/123?utm_term=malware+removal+guide+for+windows

  • https://cdn.sqhk.co/temirikuji/hfmCBuJ/sort_stack_using_another_stack_in_c.pdf
  • https://cdn.sqhk.co/rubovadu/cVifggk/basketball_hoop_height.pdf
  • https://cdn.sqhk.co/jimavidozeze/jhgBaJ8/old_national_bank_east_towne_madison_wi.pdf
  • https://cdn.sqhk.co/tivanosox/dgiijAZ/64016016760.pdf
  • https://cdn.sqhk.co/pugijuzo/cjgjhef/sozula.pdf
  • http://www.ascendercorp.com/
  • http://www.ascendercorp.com/typedesigners.html
  • https://s3.amazonaws.com/vebenok/serufosajo.pdf
  • https://s3.amazonaws.com/vovopafubipu/machiavelli_the_prince_english.pdf
  • https://s3.amazonaws.com/xisakazelelinim/70174097388.pdf
  • https://s3.amazonaws.com/buxoparadazegu/61355911330.pdf
  • https://uploads.strikinglycdn.com/files/de15ac31-6a8e-4299-a2f6-c0b62edd0f49/74073506910.pdf
  • https://s3.amazonaws.com/jagux/92921898031.pdf
  • https://s3.amazonaws.com/jijari/ludozu.pdf
  • https://4f65501f-cdae-4966-b9db-49b15ad9d196.filesusr.com/ugd/52b593_a3a72c0d52b14e309cd5aa76fe35f8f5.pdf?index=true
  • https://e85625e8-91d5-48c2-95a4-67b7b95d5b39.filesusr.com/ugd/b97a97_464f348554d14c1184a7420a310909c3.pdf?index=true
  • https://22fea36a-5e19-4af1-b4aa-fe6e1efe0ee9.filesusr.com/ugd/b5a188_32b80e7c9b4a4d328ed0ee3a42839d1d.pdf?index=true
  • https://s3.amazonaws.com/rotowan/guide_trophe_the_flame_in_the_flood.pdf
  • https://0dc5fd1c-b354-4e5b-9ccd-45395e8994ed.filesusr.com/ugd/f79e8d_c588cc5f796c424e980d6a0cd0116e25.pdf?index=true
  • https://uploads.strikinglycdn.com/files/2b24e7d2-3add-4ba5-b6aa-263c8f9e66c4/xaraneje.pdf
  • https://s3.amazonaws.com/xutomoxu/76582941317.pdf
  • https://uploads.strikinglycdn.com/files/f2a1dc4a-68dc-4c12-87dc-e0dc4d4a4e94/84509531444.pdf
  • https://uploads.strikinglycdn.com/files/000a1f79-dcbc-47e8-b9d4-5edb0ef01d7d/48277694551.pdf
  • https://uploads.strikinglycdn.com/files/442ddb65-091d-4a73-91e9-96a9e1177dce/febazisatisivaf.pdf
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://scripts.sil.org/OFL

Open this report in the interactive analyzer, or submit your own file for analysis.