Malicious PDF — malware analysis report

Heuristics 7

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
  PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
• Malformed active-content stream length medium PDF_MALFORMED_EXPLOIT_STREAM_LENGTH
  A PDF stream that carries active/exploit-looking content has a declared /Length that does not match the recovered stream body. Malformed stream boundaries and length mismatches are common parser-evasion/supporting evidence around Reader exploit streams.
• Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
  PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 41 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
• External URI info PDF_URI
  PDF contains an external URL action
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://maypoin.ru/aws?utm_term=weight+loss+veg+diet+chart+pdf PDF link annotation

  • https://cdn-cms.f-static.net/uploads/4463538/normal_602025c63ef7e.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4453102/normal_600c541d77e9b.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4416506/normal_601d176fad506.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4486742/normal_60220589bffde.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4420230/normal_5fdc2ee524ed2.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4414488/normal_5fd92dc35fb48.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4410985/normal_6019b24b3dfc6.pdfIn PDF document text
  • https://gelejidog.weebly.com/uploads/1/3/4/6/134688201/1070657.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4404741/normal_5fdc6c806b2bf.pdfIn PDF document text
  • https://static.s123-cdn-static.com/uploads/4382420/normal_5ff2c44eae825.pdfIn PDF document text
  • https://static.s123-cdn-static.com/uploads/4389603/normal_5fdd31c5cc23f.pdfIn PDF document text
  • https://kefapadasogimok.weebly.com/uploads/1/3/4/6/134601884/25536.pdfIn PDF document text
  • https://s3.amazonaws.com/mokixetat/it_s_a_girl_card_template.pdfIn PDF document text
  • https://s3.amazonaws.com/sajatofubote/kibojaputivoxikezilorode.pdfIn PDF document text
  • https://s3.amazonaws.com/rekawexuretowo/56399490093.pdfIn PDF document text
  • http://magapupegijovot.epizy.com/falcon_zero_f170_firmware_update.pdfIn PDF document text
  • http://bavajozobe.epizy.com/19423123001.pdfIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.