Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://regalcabs.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1607ecb4eacec5---76712779838.pdf In PDF document text

  • http://abapaposentados.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160c301a335083---65787505501.pdfIn PDF document text
  • http://furkansigorta.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/1606cca868d548---wodasetez.pdfIn PDF document text
  • https://purpleleafestatebuyers.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606d581406cb0---142402274.pdfIn PDF document text
  • http://wabasnb.com/files/fckeditor/file/62663136760d09bd2d981e.pdfIn PDF document text
  • https://homini.eu/wp-content/plugins/formcraft/file-upload/server/content/files/16093e7ea6b27f---31025588748.pdfIn PDF document text
  • http://agnieszkapawlik.com/userfiles/file/55087307082.pdfIn PDF document text
  • https://iamluno.com/wp-content/plugins/formcraft/file-upload/server/content/files/160844ba7c91cb---88085652276.pdfIn PDF document text
  • http://cokhiminhhien.com/media/ftp/file/sawirelakokiw.pdfIn PDF document text
  • https://aronabritcan.com/userfiles/file/57694160464.pdfIn PDF document text
  • https://www.crossfitparamaribo.com/wp-content/plugins/formcraft/file-upload/server/content/files/16071dfc11d28f---silemogofilused.pdfIn PDF document text
  • https://adepotcustom.com/UploadFiles/file/20210703134755120.pdfIn PDF document text
  • http://chagatea.ru/wp-content/plugins/super-forms/uploads/php/files/69cc6dea09efdb5ca305b999051eb596/buwepofuxobopuludupasu.pdfIn PDF document text
  • https://www.businesswatchguardingservices.co.uk/wp-content/plugins/super-forms/uploads/php/files/240953e1kfitenl75i302vu666/fogavuvejinavoturilop.pdfIn PDF document text
  • http://etcad.net/np/upfile/file/musavaposu.pdfIn PDF document text
  • https://www.syah.org/wp-content/plugins/super-forms/uploads/php/files/f55aa5c761488208e788d95cbe64479e/97266561571.pdfIn PDF document text
  • http://www.moyekolodin.com/files/10232950859.pdfIn PDF document text
  • http://amandamaitland.com/images/file/miforavasorezix.pdfIn PDF document text
  • http://yuseigachi.nl/wp-content/plugins/formcraft/file-upload/server/content/files/16080b9943d8aa---wanopiwubanikiwajixin.pdfIn PDF document text
  • https://sakitonus.ru/wp-content/plugins/super-forms/uploads/php/files/15ce5ef2b31a22643af01bd7895b0eed/zazajuxiwarodotufa.pdfIn PDF document text
  • http://adamslakeband.org/userfiles/file/11337152742.pdfIn PDF document text
  • https://agsposure.org/wp-content/plugins/super-forms/uploads/php/files/54dac7c802486dafd758f040beabe0c5/16710879436.pdfIn PDF document text
  • https://www.formwork.co.uk/wp-content/plugins/super-forms/uploads/php/files/jidbe3c2gq1ffc56c2jc3rb968/24259658118.pdfIn PDF document text
  • https://www.c2commercial.com/wp-content/plugins/super-forms/uploads/php/files/52a85833bad61764b9e0a7c052ab2ad1/2592362766.pdfIn PDF document text
  • http://younewstoday.com/task/userimages/file/5944546874.pdfIn PDF document text
  • http://www.siscard.com/wp-content/plugins/formcraft/file-upload/server/content/files/16077c137eaab6---tolulexutezewemuxu.pdfIn PDF document text
  • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/LPIa9PGmDLg/uplcv?utm_term=the+pied+piper+of+hamelin+story+pdfPDF link annotation
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://dejavu.sourceforge.netIn PDF document text
  • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.