Malicious PDF — malware analysis report

Heuristics 5

• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://pelibifir.ru/123?utm_term=shareable+calendar+app+for+iphone+and+android

  • http://www.ascendercorp.com/
  • http://www.ascendercorp.com/typedesigners.html
  • https://uploads.strikinglycdn.com/files/0ebe8299-b21a-4b1a-b9ca-2bb864f213d4/att_u_verse_tv_codes_remotes.pdf
  • https://2a1457bb-a4d2-449b-8914-d784a503a6da.filesusr.com/ugd/c0fca2_862f002b90f34da48b621975e21a2316.pdf?index=true
  • https://uploads.strikinglycdn.com/files/3ac449ea-3c30-40f1-89bc-86030e1c4e59/18532448129.pdf
  • https://uploads.strikinglycdn.com/files/d72667f5-f60a-4506-9074-7a9916075948/33641144857.pdf
  • https://uploads.strikinglycdn.com/files/d02d92c3-b27e-4259-9c34-eef35337e7cc/booster_pac_es5000_not_charging.pdf
  • https://uploads.strikinglycdn.com/files/bb2ce2c1-6ea7-4383-af64-abb2becb9f46/how_much_do_babies_sleep_at_one_month_old.pdf
  • https://s3.amazonaws.com/sefukirexuwekij/finally_obamium_meme_template.pdf
  • https://4a1cfc67-5981-466d-a13b-75576fe7431f.filesusr.com/ugd/64e449_0520b4266d7e439884abef1f9776d9cf.pdf?index=true
  • https://s3.amazonaws.com/timeziso/66372610618.pdf
  • https://uploads.strikinglycdn.com/files/c4918419-f779-4704-b9e1-03c8ccd5053d/vepodokovolimiwotawox.pdf
  • https://uploads.strikinglycdn.com/files/88899773-5e73-41b6-9969-f81eb137dbc3/zipobagowef.pdf
  • https://s3.amazonaws.com/godoremitiwuja/noroma.pdf
  • https://s3.amazonaws.com/jeromopelurab/davakamaligalujix.pdf
  • https://uploads.strikinglycdn.com/files/1754d719-fe4e-4c86-8e1e-daaae92b54e0/wifukapatuwebalidupimalas.pdf
  • https://s3.amazonaws.com/remuv/zelda_majora_s_mask_strategy_guide.pdf
  • https://uploads.strikinglycdn.com/files/b6ec0bbe-1d34-4c70-9462-063a0630080c/80130716089.pdf
  • https://6acf0ca1-aa41-4771-8b91-54baff69ee7f.filesusr.com/ugd/7d1dc9_f6b3aee130b34bcca797adf73ca71a5f.pdf?index=true
  • https://uploads.strikinglycdn.com/files/f7d52131-72fd-4bb5-9ba4-a19ba0a11242/39328472254.pdf
  • https://s3.amazonaws.com/bolovopizonuki/airplane_mode_2019_full_movie.pdf
  • https://uploads.strikinglycdn.com/files/8d0fc28b-1038-48e2-99d0-819c11580a2f/dafajepoja.pdf
  • https://uploads.strikinglycdn.com/files/4bbc974a-77d4-4bd0-9038-09db8ace0551/xuwuk.pdf
  • https://uploads.strikinglycdn.com/files/fc7581f9-01b2-446c-b5a2-9ba604be1741/durebojama.pdf
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://scripts.sil.org/OFL

Open this report in the interactive analyzer, or submit your own file for analysis.