Malicious PDF — malware analysis report

Heuristics 6

• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• ClickFix social engineering attack high SE_CLICKFIX
  Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://dafemum.ru/aws?utm_term=hp+compaq+pc+bios+key

  • http://mihetos.xyz/poulan_2150_chainsaw_carburetor_kitt53gu.pdf
  • http://mugukix.mygamesonline.org/gadofovevata.pdf
  • https://cdn.sqhk.co/mekurapiw/CMierDT/x_plane_flight_simulator_controls.pdf
  • https://cdn.sqhk.co/wufevinek/qMANcji/95243191892.pdf
  • https://cdn.sqhk.co/ramidazumiko/Tjciegm/idle_life_sim_simulator_game.pdf
  • http://newuwedeza.mypressonline.com/usmle_step_1_test_cost.pdf
  • http://aov.one/public_administration_degreey5o48.pdf
  • https://cdn.sqhk.co/dujagazatad/dicN8hd/i_ll_eat_it_all_gif.pdf
  • http://www.ascendercorp.com/
  • http://www.ascendercorp.com/typedesigners.html
  • https://uploads.strikinglycdn.com/files/438761f5-9f87-4bae-a736-1202e653839f/4214337761.pdf
  • https://uploads.strikinglycdn.com/files/11ed68b7-f604-4aec-9299-a40c1770043a/93305871289.pdf
  • https://6d706a39-1f93-4f1a-9423-caccf7e65e71.filesusr.com/ugd/69f91f_bfac8fd6b9434ccb98b8675e18d819e4.pdf?index=true
  • https://c480cc3d-c044-45b7-a7fa-747782367dcd.filesusr.com/ugd/a26f59_30737a99be45491fba2e72260dbb7488.pdf?index=true
  • http://tifilow.onlinewebshop.net/project_report_on_online_banking_system.pdf
  • https://uploads.strikinglycdn.com/files/eb575605-8a46-4cd6-945a-37afc59b7db4/how_to_use_knitting_machine_punch_cards.pdf
  • https://uploads.strikinglycdn.com/files/e2461579-5854-4c9e-9b53-2a0ca2687a90/gidesa.pdf
  • https://uploads.strikinglycdn.com/files/5dee34dc-4663-49c6-9be2-3be1573ad1bf/how_did_you_spend_your_summer_vacation_for_class_4.pdf
  • https://uploads.strikinglycdn.com/files/5716f345-0c7f-4804-8b83-728bf973fb2c/how_do_you_open_a_sentry_safe_with_a_dead_battery_and_no_key.pdf
  • https://144ece88-722e-4d59-a9d1-ae16887514c2.filesusr.com/ugd/48b17f_8d6ed47f90504687aea138fa477dca0c.pdf?index=true
  • https://uploads.strikinglycdn.com/files/cc3f42d2-a808-4b87-871c-902c7d4d5836/56176015594.pdf
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://scripts.sil.org/OFL
  • http://dejavu.sourceforge.net
  • http://dejavu.sourceforge.net/wiki/index.php/License

Open this report in the interactive analyzer, or submit your own file for analysis.