Malicious PDF — malware analysis report

Heuristics 7

• ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• Callback phishing phone lure medium SE_CALLBACK_LURE
  Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://bestforfishing.com/wp-content/plugins/super-forms/uploads/php/files/e68803819ad99dab8a3bf4bcaaf22ddb/tuwobomejowidi.pdf

  • https://sca-kc.com/scauserfiles/files/61100368585.pdf
  • http://www.maarsehoveniers.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1606cca4724c28---vuvotog.pdf
  • https://247christianity.org/fckeditor/userfiles/file/radawuze1624276798.pdf
  • http://www.associatedomains.com/wp-content/plugins/formcraft/file-upload/server/content/files/160840539c19a8---pevomilela.pdf
  • https://store-connector.com/_upload_bilder/_filemanager/file/fegadedefogogakife.pdf
  • https://amartzon.store/wp-content/plugins/super-forms/uploads/php/files/6b25bf0ea3c6fc38ce30e369c43194c2/39493218720.pdf
  • http://www.viksexteriors.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606eff6ebab00---bipukezutodiwes.pdf
  • http://suamayin.biz/userfiles/file/53887961268.pdf
  • http://colegiosantarosa.com/uploads/imagem/file/vodibelibadotur.pdf
  • https://siam-royal-view.ru/data/files/nonosojipobawed.pdf
  • https://completecollegestrategies.com/wp-content/plugins/super-forms/uploads/php/files/b384d1e3054e41dec832c49f8d09c78b/feviradifilapebe.pdf
  • https://n95america.com/wp-content/plugins/super-forms/uploads/php/files/af3c3e243a29bf469ebbd3fea90b5696/52400450461.pdf
  • http://philippinesroadshow.com/wp-content/plugins/super-forms/uploads/php/files/567f9ee98f8c193753f0306b3e040bde/padazut.pdf
  • https://lorenzonimmigrationlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bde01327e17---pugerapox.pdf
  • http://www.sunarozlem.com.tr/wp-content/plugins/super-forms/uploads/php/files/jp7uefv1ut8032m2g69dv0g2l1/zimebagopojujatimixeg.pdf
  • http://thomasbelldescendants.com/clients/40432/File/35622545152.pdf
  • http://broadviewlibrary.org/uploaded_bvlib/file/7433034564.pdf
  • https://webmodeli.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bc8ae328ced---3303437820.pdf
  • https://robinio.de/wp-content/plugins/super-forms/uploads/php/files/03fae6pcqr0g0j34gb4qmpcj2f/sabap.pdf
  • http://sarahscupcakery.com/wp-content/plugins/formcraft/file-upload/server/content/files/160e70c10e6b20---fotuve.pdf
  • http://bestforfishing.com/wp-content/plugins/super-forms/uploads/php/files/6f0b5881321513cf5c9e2f4feae69e44/4626042547.pdf
  • https://northstarexecutivesearch.com/wp-content/plugins/super-forms/uploads/php/files/6805bf69ee34aeccd16494373e10c47a/46235887927.pdf
  • http://dkyangmei.com/uploadfile/file/2021070202383873499.pdf
  • http://www.fsnn.se/wp-content/plugins/formcraft/file-upload/server/content/files/160784fdac1b9f---62881829886.pdf
  • https://feedproxy.google.com/~r/skout/mBVl/~3/ngfLrbzwjls/uplcv?utm_term=losing+virginity+to+one+night+stand
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://dejavu.sourceforge.net
  • http://dejavu.sourceforge.net/wiki/index.php/License

Open this report in the interactive analyzer, or submit your own file for analysis.