Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• Embedded JS stream low PDF_JS
  PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
• External URI info PDF_URI
  PDF contains an external URL action
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://archism.ru/uplcv?utm_term=project+free+tv+mandalorian

  • http://thaimassagemodel.com/ckfinder/userfiles/files/98821084848.pdf
  • https://terrebleue.org/userfiles/file/80402165353.pdf
  • http://inteko-tula.ru/f/file/73532540522.pdf
  • https://threadworx.com/thread/admin/uploads/file/40977693722.pdf
  • http://amongelite.com/ci/userfiles/files/17832574932.pdf
  • https://webmakler.org/userfiles/file/30571973133.pdf
  • https://giverny-bkk.com/upload/files/nifogu.pdf
  • https://ibrahimkoc.com/images/Media/files/nomigegawameg.pdf
  • http://www.deadclan.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1613b411c28a1b---41759083730.pdf
  • http://aurora-c.jp/files/files/kapuzijisisirabebirunen.pdf
  • http://www.zav-mito.si/wp-content/plugins/formcraft/file-upload/server/content/files/16135096d0cde0---99244728598.pdf
  • https://membermimpi.com/contents/files/16212437237.pdf
  • http://machi-tomo.xyz/js/ckfinder/userfiles/files/waxegaxixeba.pdf
  • http://www.findvoters.com/userfiles/file/17634620926.pdf
  • http://driver-jazda.pl/upload/file/77275528967.pdf
  • https://cosonnguyenthanh.vn/webroot/userfiles/files/zawubifadam.pdf
  • http://tevukasveza.lt/ckfinder/userfiles/files/63919280731.pdf
  • https://lazeo.nl/userfiles/file/satikulogukumavu.pdf
  • https://bankkartya.hu/js/ckfinder/userfiles/files/93235703118.pdf
  • http://connectcontrol.net/files/userfiles/files/sarijusegoni.pdf
  • http://bycongroup.com/UserFiles/file/40476767457.pdf
  • https://www.taxikladis.gr/wp-content/plugins/formcraft/file-upload/server/content/files/1613239756bf82---35006994595.pdf
  • https://www.karelo.com/uploads/File/65330359403.pdf
  • http://dejavu.sourceforge.net
  • http://dejavu.sourceforge.net/wiki/index.php/License

Open this report in the interactive analyzer, or submit your own file for analysis.