Malicious PDF — malware analysis report

Heuristics 5

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://coretry.ru/uplcv?utm_term=pathophysiology+of+disease+book+free+pdf

  • http://jingluo.net/uploadfiles/files/tugemode.pdf
  • https://cvenhancer.com/wp-content/plugins/super-forms/uploads/php/files/98d33eea58d3dfe25ceebcf2a09aa574/29873362565.pdf
  • https://www.vedaaz.com/wp-content/plugins/super-forms/uploads/php/files/feec31d792792d2694844f396c07d2b6/31335934563.pdf
  • https://pilotcenter.gr/wp-content/plugins/super-forms/uploads/php/files/qppunfq6c3r5aotop65fbkhvjj/5783696531.pdf
  • http://www.kevinbrooks.ca/wp-content/plugins/formcraft/file-upload/server/content/files/160a21f3599b25---kewakubebakekop.pdf
  • https://baongochoa.com/upload/file/lamezavo.pdf
  • http://nakatka.com/files/file/90490878461.pdf
  • https://bluetact.com/locktactyuma/userfiles/file/fadugunidu.pdf
  • http://fashioncenterpoint.com/wp-content/plugins/super-forms/uploads/php/files/a84dbc35264a7b76cd0a9eded0b7be47/vesedi.pdf
  • http://www.immiflex.com/wp-content/plugins/formcraft/file-upload/server/content/files/160746cc80acd5---xobuwoloxepubeji.pdf
  • http://www.anjhimayath.com/upload/file/865271674.pdf
  • http://nek.ua/wp-content/plugins/formcraft/file-upload/server/content/files/1607c711555437---25156390451.pdf
  • https://cedarcreeksauce.com/wp-content/plugins/super-forms/uploads/php/files/b1512580448395e877ffa132f18bdbe0/mokafivodejolurejewis.pdf
  • https://unicornproduction.gr/wp-content/plugins/super-forms/uploads/php/files/f9c3f200364b65247b126cac8aad7c4a/83269965973.pdf
  • http://timelessmebel.ru/wp-content/plugins/super-forms/uploads/php/files/0edd74c24e0c56a521df3d7c03d7341c/kuzuji.pdf
  • http://hellnocancershow.com/wp-content/plugins/formcraft/file-upload/server/content/files/16090bf48897a7---76897421893.pdf
  • https://macleanpinesdrivingschool.com.au/wp-content/plugins/super-forms/uploads/php/files/09bd832b31de65d88b5db1a03fa9d59c/11461996233.pdf
  • http://www.ascendercorp.com/
  • http://www.ascendercorp.com/typedesigners.html
  • http://scripts.sil.org/OFL

Open this report in the interactive analyzer, or submit your own file for analysis.