Malicious PDF — malware analysis report

Heuristics 7

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• Embedded JS stream low PDF_JS
  PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://www.supremecaravans.com.au/application/third_party/ckfinder/userfiles/files/30310784152.pdf In PDF document text

  • http://arch-teh.com/pic/userfile/sajopetedude.pdfIn PDF document text
  • https://local-atlas.ru/userfiles/files/pekuwejurer.pdfIn PDF document text
  • https://landlorddebtadvisory.com/wp-content/plugins/super-forms/uploads/php/files/3h37qgfn3ojnolps6eedfo1o71/furimebuvusijabideb.pdfIn PDF document text
  • https://anzmrrn.org/wp-content/plugins/formcraft/file-upload/server/content/files/160837b1c69d46---peduwaxezadujisejidu.pdfIn PDF document text
  • https://study-go.info/wp-content/plugins/super-forms/uploads/php/files/ba2fe0978b454423e3a0c91b5f9e4160/vetepagovokobese.pdfIn PDF document text
  • https://stakeoutllc.com/wp-content/plugins/super-forms/uploads/php/files/9805c6a863650047db0c5aaaa637732c/99905112227.pdfIn PDF document text
  • http://aydinservis.com/ckfinder/userfiles/files/veweni.pdfIn PDF document text
  • https://portsidestrategies.com/wp-content/plugins/super-forms/uploads/php/files/dbf3f9e316f587cdf35342510c6216ec/ravepevufanudure.pdfIn PDF document text
  • https://123kozijnofferte.nl/wp-content/plugins/super-forms/uploads/php/files/p6o9hnd9t8km7hsg99mqn5qa92/80740464164.pdfIn PDF document text
  • http://o2ashop.com/ckfinder/userfiles/files/siwuregofok.pdfIn PDF document text
  • http://md-servicios.com/userfiles/file/91779136123.pdfIn PDF document text
  • http://pitin-akutsu.com/js/upload/files/tikowinorofisivinesuro.pdfIn PDF document text
  • http://zartmobilia.com/userfiles/file/20210625055218.pdfIn PDF document text
  • https://www.expoagrogto.com/wp-content/plugins/super-forms/uploads/php/files/86iguvctbiodlsulhghqn0nrj7/fubimaparojibo.pdfIn PDF document text
  • http://n2nlah.org/UserFiles/file/takisidedoxisiwijezagole.pdfIn PDF document text
  • http://www.cafeinca.com/img/public/contenido/file/5990629674.pdfIn PDF document text
  • https://vietrocknet.org/app/webroot/img/files/tokewobimizituzokibujuv.pdfIn PDF document text
  • https://awlights.com/wp-content/plugins/super-forms/uploads/php/files/fd8bf832e296f6d7493c51dad81cb10b/51083772333.pdfIn PDF document text
  • https://goactive.hu/wp-content/plugins/super-forms/uploads/php/files/bd8d8e4768c02ee291f2a5cf877ab8ac/sexivukodudarukebawip.pdfIn PDF document text
  • https://esportenerd.com/app/webroot/ckfinder/userfiles/files/teleg.pdfIn PDF document text
  • http://ekotop.eu/userfiles/file/31324199336.pdfIn PDF document text
  • https://feedproxy.google.com/~r/skout/mBVl/~3/DOqCt-cVA4I/uplcv?utm_term=how+to+provide+a+link+to+a+pdfPDF link annotation
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://dejavu.sourceforge.netIn PDF document text
  • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.