Malicious PDF — malware analysis report

Heuristics 7

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
  Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://guyfamilyreunion.com/clients/41950/File/bovazojeporizisoxopade.pdf In PDF document text

  • http://www.tsssport.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a66771ae57a---66402510099.pdfIn PDF document text
  • https://bentzendesign.se/wp-content/plugins/formcraft/file-upload/server/content/files/16074113b3f8e4---wiburiwemoxedij.pdfIn PDF document text
  • http://www.champcaregivers.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606cfdc599830---gawetakegunufukuzulaneg.pdfIn PDF document text
  • https://www.oneirishrover.com/wp-content/plugins/super-forms/uploads/php/files/f6c46da19ee71712180763e1819c3707/bokotepepod.pdfIn PDF document text
  • http://starrsgazette.com/admin/images/file/zefoj.pdfIn PDF document text
  • http://smartcookieacademy.com/wp-content/plugins/formcraft/file-upload/server/content/files/160949ec6abe7c---98140158461.pdfIn PDF document text
  • https://forex-robo.org/wp-content/plugins/super-forms/uploads/php/files/34f019fa0615a1d4e9d3fb1edc291893/49439617667.pdfIn PDF document text
  • https://dixietemporarystorage.com/wp-content/plugins/super-forms/uploads/php/files/9854dec365477673aef8284db87b6f0b/27499567372.pdfIn PDF document text
  • http://rford67613.com/clients/a/a2/a20594cba7d6fe247bc87ef9b80620db/File/wupul.pdfIn PDF document text
  • https://lacecinella.com/writable/public/userfiles/file/41462077956.pdfIn PDF document text
  • http://www.danvillern.com/wp-content/plugins/super-forms/uploads/php/files/qeke2eunbonharr9u7ikt3cf56/72761147646.pdfIn PDF document text
  • https://tavio.ru/files/file/89516020822.pdfIn PDF document text
  • http://www.companyforte.com/imagenes/editor/file/58788347510.pdfIn PDF document text
  • https://kozhikodedeaf.org/admin/my_files/file/99710858308.pdfIn PDF document text
  • http://vasilii-orlov.fun/wp-content/plugins/super-forms/uploads/php/files/4259a355a13331ce1cc31bd9e7b10359/zimunaligerabo.pdfIn PDF document text
  • https://paroles-vives.com/ckfinder/userfiles/files/ravumubedon.pdfIn PDF document text
  • https://autotrans911.com/thread/admin/uploads/file/subutiz.pdfIn PDF document text
  • http://valeneighbors.com/userimages/zojolozabafuxuv.pdfIn PDF document text
  • https://expresstestingatl.com/wp-content/plugins/super-forms/uploads/php/files/addf36b805647cbfe50626922b3def48/47837659795.pdfIn PDF document text
  • https://noks.cz/wp-content/plugins/formcraft/file-upload/server/content/files/160976b6c60453---73547464423.pdfIn PDF document text
  • http://www.finanzanlagen-honorarberatung.de/wp-content/plugins/formcraft/file-upload/server/content/files/160e0b58868ec2---61067808270.pdfIn PDF document text
  • http://france-ex.com/images/blog//file/70643394307.pdfIn PDF document text
  • https://feedproxy.google.com/~r/skout/mBVl/~3/1KS0DP0cxss/uplcv?utm_term=who+sings+for+the+barden+bellasPDF link annotation
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://dejavu.sourceforge.netIn PDF document text
  • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.