Malicious PDF — malware analysis report

Heuristics 7

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
  Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://gostium.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b4987fb268e---gomaduxidajab.pdf

  • http://pivotal-technologies.com/userfiles/file/wuremaborowekufigawaribe.pdf
  • http://prime42.ru/userfiles/files/mukunigelabavifa.pdf
  • https://sumangold.net.vn/wp-content/plugins/super-forms/uploads/php/files/qpefmv19k7rvr0c70tvnudiq0j/46129096264.pdf
  • https://traonguoc.vn/wp-content/plugins/super-forms/uploads/php/files/45ump3knmsh16kaj8i3bcgo147/fozuv.pdf
  • https://nowackleverkusen.de/wp-content/plugins/formcraft/file-upload/server/content/files/160c3e4d455681---15567461928.pdf
  • https://imapcb.org/wp-content/plugins/super-forms/uploads/php/files/hkqo256knur29glc5ko9ts2bu4/97139119750.pdf
  • http://deurwater.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b64f6c17363---xixuwo.pdf
  • https://www.zaantraining.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160c61e90cc9ff---nabemipofelije.pdf
  • https://costumeworld.com/wp-content/plugins/formcraft/file-upload/server/content/files/160986193ce3a6---14932538970.pdf
  • https://caffedisanto.it/file/bazipibutiropixerizokaxuk.pdf
  • https://ifacemount.com/wp-content/plugins/super-forms/uploads/php/files/pm4t3b2bas2fteqrls2aqss340/jerubewasozapiwejukeduzi.pdf
  • https://genesislighting.net/wp-content/plugins/super-forms/uploads/php/files/8164fd6690d9479f04f5d4e67520237a/17142237672.pdf
  • https://gulyaskantin.hu/uploads/frontend/files/27302485999.pdf
  • https://travelselection.us/wp-content/plugins/formcraft/file-upload/server/content/files/1608050014eca5---53692489960.pdf
  • http://videofilm-tv.ru/content/File/94323199966.pdf
  • https://stewsites.com/wp-content/plugins/super-forms/uploads/php/files/9e84c71604873f1ee21eb58e39eb52e6/lujejutisezudu.pdf
  • https://aihr-iadh.org/uploads/FCK_files/file/24044187183.pdf
  • https://www.certificagreen.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609baa6fe1e92---48316858338.pdf
  • https://mebelpozakazu.ru/wp-content/plugins/super-forms/uploads/php/files/07d69433c97c21c13abbba1a4cf9197e/5843057010.pdf
  • https://useoneconvo.com/wp-content/plugins/super-forms/uploads/php/files/c590df76f6519a8fb7a1c86aaac133d5/59626231043.pdf
  • https://www.endthestigmacounselling.com/wp-content/plugins/super-forms/uploads/php/files/90n5g4c87cls7k2vuphg8hs1oe/wojabumulitutik.pdf
  • https://www.superioreagle.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609f23a232b44---36665573615.pdf
  • http://ivepe-elearning.gr/assets/UserFiles/mainHome/file/83036152404.pdf
  • http://www.hj-bouwt.be/wp-content/plugins/formcraft/file-upload/server/content/files/160778b14b4f52---23729603993.pdf
  • http://stressmanagement-karriere.de/userfiles/file/24467075088.pdf
  • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/3CAf4wW3hvY/uplcv?utm_term=pelco+ds+controlpoint+download
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://dejavu.sourceforge.net
  • http://dejavu.sourceforge.net/wiki/index.php/License

Open this report in the interactive analyzer, or submit your own file for analysis.