Malicious PDF — malware analysis report

Heuristics 6

• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• Callback phishing phone lure medium SE_CALLBACK_LURE
  Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://pousadamarazul.tur.br/wp-content/plugins/formcraft/file-upload/server/content/files/1608cafe513169---96700359780.pdf In PDF document text

  • http://omniatel.it/wp-content/plugins/formcraft/file-upload/server/content/files/160ad2935ea957---gobudobamuku.pdfIn PDF document text
  • http://elard-group.com/ckfinder/userfiles/files/62326611475.pdfIn PDF document text
  • https://ailani.org/wp-content/plugins/super-forms/uploads/php/files/6fd135d141a48aaca92a6ce96866ce1c/befodipana.pdfIn PDF document text
  • http://www.sunarsurdurulebilir.com/wp-content/plugins/super-forms/uploads/php/files/vobqjbhd7t67ou7shh6bm4g3h3/zemeviwakabokukivanagepop.pdfIn PDF document text
  • http://www.whirlpool-beachcomber.at/wp-content/plugins/formcraft/file-upload/server/content/files/16118442067bc0---34620959114.pdfIn PDF document text
  • http://ulrike-mayer.de/userfiles/files/83524433609.pdfIn PDF document text
  • http://principessavencanice.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a4f56b4ef55---21953753504.pdfIn PDF document text
  • http://phillipwhiting.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a70493e4d08---86539939464.pdfIn PDF document text
  • http://www.sunarmisir.com.tr/wp-content/plugins/super-forms/uploads/php/files/uq4frsv5s34im3ckfsg8opesl4/dapemulidonugonobagawi.pdfIn PDF document text
  • https://viajespereira.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608abb7a9d974---28530165993.pdfIn PDF document text
  • https://dentinale.eu/wp-content/plugins/super-forms/uploads/php/files/53ca7e71bc1ba0fa4ee6cb28c377aaab/voguvipiba.pdfIn PDF document text
  • http://skrabl.pl/www/rpbd/fck/file/7775966652.pdfIn PDF document text
  • https://retentionstudentexperience.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609b193063356---50546663786.pdfIn PDF document text
  • http://mountmedpharmacy.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/16071adf8e57f7---87150247726.pdfIn PDF document text
  • http://dom-2000.ru/ckfinder/userfiles/files/1643704314.pdfIn PDF document text
  • http://mini-garden.ru/userfiles/file/6842686979.pdfIn PDF document text
  • https://jlgardner.org/home/jlg/public_html/ckfinder/userfiles/files/doturisorogunuwipo.pdfIn PDF document text
  • https://tasivn.com/upload/ck/files/26167425977.pdfIn PDF document text
  • https://monarchwinemerchants.com/wp-content/plugins/super-forms/uploads/php/files/b8e13bcbca704c0413640d8e47adf58b/86864701116.pdfIn PDF document text
  • http://glenbrooksouth1970.com/clients/1/17/17fc1bd13d5538a69f39d58c869d2fc5/File/25823623827.pdfIn PDF document text
  • https://www.verimevzabavu.cz/ckfinder/userfiles/files/72026256340.pdfIn PDF document text
  • http://ruilong-ironwork.com/CKEdit/upload/files/24217639885.pdfIn PDF document text
  • http://megat.pl/uploaded/fck_files/file/32101538232.pdfIn PDF document text
  • https://feedproxy.google.com/~r/Uplcv/~3/BkSY9tpko7c/uplcv?utm_term=how+to+set+up+feit+smart+bulbsPDF link annotation
  • https://bxthirteen.wpengine.com/wp-content/plugins/super-forms/uploads/php/files/740148382f34e353833175473558e979/nitinifamo.pdfIn PDF document text
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://dejavu.sourceforge.netIn PDF document text
  • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.