Malicious PDF — malware analysis report

Heuristics 4

• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://drafthe.ru/uplcv?utm_term=indian+author+books+pdf+free+download PDF link annotation

  • https://www.pal-kont.hu/wp-content/plugins/super-forms/uploads/php/files/eb442b07918ca38f6ae4e94367588ea0/51091175548.pdfIn PDF document text
  • http://circolonauticofavignana.it/userfiles/files/69221059479.pdfIn PDF document text
  • https://specialbrands.gr/wp-content/plugins/super-forms/uploads/php/files/a880b9f13c928bc2a8eabefdd9be4d2c/zalinikuje.pdfIn PDF document text
  • http://apsencollege.org/test/fckeditor/file/xanasemu.pdfIn PDF document text
  • https://contact-house.com/fckeditor/upload/file/posinufejokopaxifek.pdfIn PDF document text
  • https://weeb.nu/userfiles/file/48630027169.pdfIn PDF document text
  • http://ibb-online.ru/f/file/33194691418.pdfIn PDF document text
  • http://www.pointcookelectrician.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160c77a52a4bbf---11991233931.pdfIn PDF document text
  • https://playgametoday.ru/wp-content/plugins/super-forms/uploads/php/files/4335007a7fa9c0677df316ff70c463e0/68014317416.pdfIn PDF document text
  • https://valserve.in/web/k/main_admin/ckfinder/userfiles/files/98732437715.pdfIn PDF document text
  • http://dges.in/userfiles/file/kugunazekazenoxodusijef.pdfIn PDF document text
  • https://asset-books.com/userfiles/file/81302426912.pdfIn PDF document text
  • https://teenvolunteerdallas.org/wp-content/plugins/super-forms/uploads/php/files/14e3e73029041228701b7500864e01e4/33066392642.pdfIn PDF document text
  • https://blindnow.com/userfiles/file/kabavose.pdfIn PDF document text
  • https://monacollection.ua/wp-content/plugins/super-forms/uploads/php/files/3d40cfb6468b59c228241b216bbc33a7/27468693263.pdfIn PDF document text
  • https://nicemexico.net/wp-content/plugins/formcraft/file-upload/server/content/files/16096cb044ba73---4614566428.pdfIn PDF document text
  • http://www.jesuseslaroca.org/wp-content/plugins/formcraft/file-upload/server/content/files/160bd369d7623f---70139173726.pdfIn PDF document text
  • http://tgtech-auto.com/userfiles/file/kuxoxezebe.pdfIn PDF document text
  • http://www.ascendercorp.com/In PDF document text
  • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
  • http://scripts.sil.org/OFLIn PDF document text
  • http://www.geocities.com/mitra_anirban/hobbies.htmGNUIn PDF document text
  • http://www.gnu.org/copyleft/gpl.htmRegularIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.