Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://guides2alpes.org/uploads/file/limido.pdf

  • http://kaufdeinauto.de/wp-content/plugins/formcraft/file-upload/server/content/files/160798d3fcf053---99547553204.pdf
  • https://njsolarpower.com/wp-content/plugins/super-forms/uploads/php/files/8118d58d2f0d04f41aa2a9e48b27b945/12093357895.pdf
  • http://maplewoodmachine.com/clients/1/17/17f0ea2532424b9b8bf99baf53cd3763/File/74711492618.pdf
  • https://www.sir.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160acf2833f643---6185738836.pdf
  • https://xn--1--8kcai1ck2bs.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/2b5b12b36a50ff8027a09e5480207729/roketotutogodijimexatite.pdf
  • http://mrsinternationalbeautypageant.com/clients/8/8c/8c0f0497d7166b07b5568c04be8084ca/File/rexewozujinajotefogaj.pdf
  • https://getlovebooks.com/wp-content/plugins/super-forms/uploads/php/files/e76131dece1568f5c08ba1cfa359fb26/38334159052.pdf
  • http://iamsoldierfit.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c0d6298e32d---43094199118.pdf
  • https://www.sgestrecho.es/wp-content/plugins/formcraft/file-upload/server/content/files/1606efefbd7237---fonopowiguj.pdf
  • https://www.revistadefiesta.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d0297f9a5b6---tugepaxamujenulofojulewub.pdf
  • http://farmaciafoglia.eu/userfiles/files/38104667954.pdf
  • http://anhuifan.com/upload_fck/file/2021-6-23/20210623073421750564.pdf
  • http://nuyewpilot.academy/wp-content/plugins/super-forms/uploads/php/files/e320f3a9becae2579fd4076e855cf7ae/liwumebekunezi.pdf
  • https://signaturetowerpune.com/wp-content/plugins/super-forms/uploads/php/files/n2p3ilt2h0g9m82je86gqm7o11/93935511981.pdf
  • http://mouaumfb.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609c1951d9ee5---bukeresanoretezirafaro.pdf
  • https://www.baileysmilk.com/wp-content/plugins/super-forms/uploads/php/files/d54337a1f1d1f82e6fe207278f8241bb/54148774980.pdf
  • http://anvlaw.com/userfiles/file/63700032979.pdf
  • https://robertmatzuzi-massagetherapist.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160d889d7d2684---51185489186.pdf
  • https://www.ezhealthcheck.com/wp-content/plugins/super-forms/uploads/php/files/dh7b57s69rgqrk64qn7616sg2k/90958032282.pdf
  • https://kis-u.com/page_data/file/20210619221514.pdf
  • https://interesttour.com/wp-content/plugins/super-forms/uploads/php/files/98ec713d44db7eed30ae363d9f550acd/29147134406.pdf
  • http://mackielaw.net/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/lesemiwinexodezuzabib.pdf
  • https://40parables.com/wp-content/plugins/super-forms/uploads/php/files/ade88970d99b54cd466f81320ffa171b/43196981023.pdf
  • https://www.hungarianassociation.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bf4c73760e0---44443574141.pdf
  • http://becro-plast.hr/wp-content/plugins/formcraft/file-upload/server/content/files/160b24640c997c---39790570846.pdf
  • https://lasanisports.com/files/kasumofugabiwabufuvere.pdf
  • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/GLLx1DTH0VQ/uplcv?utm_term=set+operations+in+relational+algebra
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://dejavu.sourceforge.net
  • http://dejavu.sourceforge.net/wiki/index.php/License

Open this report in the interactive analyzer, or submit your own file for analysis.