Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://www.nosolodespedidas.es/wp-content/plugins/formcraft/file-upload/server/content/files/1608a021bca9df---40306073476.pdf

  • http://emotionpicturesfestival.gr/userfiles/file/juzabatopalebojevof.pdf
  • https://www.fifatravels.com/wp-content/plugins/formcraft/file-upload/server/content/files/160726d023c9b8---legadavoz.pdf
  • http://kwik-it.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160a7fa2f447d5---48026872147.pdf
  • http://imagespa.mx/wp-content/plugins/formcraft/file-upload/server/content/files/1607ddde96d961---16390115458.pdf
  • https://home18.ru/wp-content/plugins/super-forms/uploads/php/files/080607c6729675c60865170d6166730e/17845954769.pdf
  • http://dansensvenner.dk/imagesfile///43255778406.pdf
  • http://www.kmclogistics.com/wp-content/plugins/super-forms/uploads/php/files/b1b7dd80427bd3c323b21603186b2c09/5727229727.pdf
  • http://incucinaconalberta.com/userfiles/files/sozumumikoxowimetopuwima.pdf
  • https://www.spreefahrten-berlin.de/wp-content/plugins/super-forms/uploads/php/files/vo4ggp6kn2ilav0u4suqikie3d/78551966085.pdf
  • http://kaufdeinauto.de/wp-content/plugins/formcraft/file-upload/server/content/files/160c54e43465fe---6365015002.pdf
  • http://www.gabrielamaciel.net/images/content/file/favalozuterumunubufubizo.pdf
  • http://www.holderit.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b1c8610ecdb---84228920710.pdf
  • https://lightsourceindiana.com/wp-content/plugins/super-forms/uploads/php/files/2062c61b16572a9e1db2440db324fde2/jiretixapupon.pdf
  • http://nakamurasangyou.jp/app/webroot/uploads/files/18295215310.pdf
  • http://php-lounge.de/userfiles/file/44645637714.pdf
  • https://www.baileysmilk.com/wp-content/plugins/super-forms/uploads/php/files/c1f4dd8496b99662e602d214909e8205/44825303142.pdf
  • http://www.kliningstroy.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160a73e973db46---25580405856.pdf
  • http://www.thebetterinsurance.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607efe67d2793---7452036004.pdf
  • https://electrabicycles.pl/app/webroot/uploads/file/16201972824516.pdf
  • http://birons.net/wp-content/plugins/super-forms/uploads/php/files/dadd5e95b43f243b17fccd9837eebf4a/80523807272.pdf
  • http://anandtouristcorporation.com/uploads/lozupedujexatitolubemo.pdf
  • http://evabody.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160ad92e1e7360---95398368252.pdf
  • http://energo-market.ru/sadm_files/16385958536.pdf
  • https://jjmassociates.com/wp-content/plugins/super-forms/uploads/php/files/1b915e1681b740c080e087412b804ce5/77059276978.pdf
  • https://www.havanasalsa-dance-tours.com/wp-content/plugins/super-forms/uploads/php/files/c762185227414aa8c105c7cec98cf454/8309340523.pdf
  • https://feedproxy.google.com/~r/Uplcv/~3/ngfLrbzwjls/uplcv?utm_term=power+quality+mcq+with+answers
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://dejavu.sourceforge.net
  • http://dejavu.sourceforge.net/wiki/index.php/License

Open this report in the interactive analyzer, or submit your own file for analysis.