Malicious PDF — malware analysis report

Heuristics 7

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
  Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• Urgency / deadline lure low SE_URGENCY_LURE
  Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://jumiwimov.ru/award?keyword=advanced+excel+full+course+pdf PDF link annotation

  • https://static.s123-cdn-static.com/uploads/4457563/normal_5fc61043cfe51.pdfIn PDF document text
  • http://hightrade.club/70579266949nzbgu.pdfIn PDF document text
  • http://nosinoski.shop/sofewumezagadelipijugs08g.pdfIn PDF document text
  • http://garderob-podolsk.ru/kotabulogixiruriledo46vki.pdfIn PDF document text
  • http://bt-management.website/warranty_deed_wisconsin_formmtkim.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4369763/normal_604b2fe82987f.pdfIn PDF document text
  • https://static.s123-cdn-static.com/uploads/4473388/normal_5fe0e9965eb51.pdfIn PDF document text
  • http://shopbest.online/windows_powershell_5.0_free_download8avpd.pdfIn PDF document text
  • http://gouliwer.online/kurumefodurizowl4vf1.pdfIn PDF document text
  • http://ita-talia.fun/cs_1.6_cd_key_code624aw.pdfIn PDF document text
  • http://agencymedia-ig.com/mp_board_10th_class_maths_book_solutl6031.pdfIn PDF document text
  • http://gouliwer.onlineIn macro / runtime command snippet
  • http://www.ascendercorp.com/In PDF document text
  • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
  • https://uploads.strikinglycdn.com/files/0de83207-dced-4f04-8029-25afa2297516/rigging_your_fly_rod.pdfIn PDF document text
  • https://d525ee04-2a40-494f-8ba9-fee52f7b18ee.filesusr.com/ugd/8b8e24_f977dadfd562425f8ff45cb99cc55f4f.pdf?index=trueIn PDF document text
  • https://29aa9d28-cc9d-45fc-8d86-3718b5881c84.filesusr.com/ugd/74c34a_d341af7ca7544ee4a028a71c062d5d71.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/44f85c16-9000-4b6b-ba34-01bd5ff4acdc/high_chair_weight_capacity.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/730c5f95-be91-4141-9606-2a335b725da1/74282237237.pdfIn PDF document text
  • https://s3.amazonaws.com/jaloto/ischemic_stroke_guidelines_2018.pdfIn PDF document text
  • https://s3.amazonaws.com/daraniwekamidir/mezegenidukegoranewagif.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/439aed4d-6533-4fff-9f4a-c195b9639d1b/vasil.pdfIn PDF document text
  • https://s3.amazonaws.com/nuvukivaxiren/aashiqui_2_naa_songs_telugu.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/dceee48d-fd75-4d51-9dec-d8739faa31e5/24881097253.pdfIn PDF document text
  • https://34e51215-b586-4e01-b3ea-a219475a7b91.filesusr.com/ugd/46481b_f1b3a01fcb524a0c92af4477d3b62b04.pdf?index=trueIn PDF document text
  • https://1cdd1dcb-54a5-4750-95ad-c4cce9a68cd1.filesusr.com/ugd/1e32c2_05ff1980b5d34e71b0fe18105a0944e8.pdf?index=trueIn macro / runtime command snippet
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://scripts.sil.org/OFLIn PDF document text
  • http://dejavu.sourceforge.netIn PDF document text
  • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.