Malicious PDF — malware analysis report

Heuristics 4

• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://endoaccessories.com/wp-content/plugins/super-forms/uploads/php/files/gojk0tha5ibie11ppfpm38ou9p/83025376170.pdf

  • https://www.digitalsofts.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607cc60c1e884---vodaliwib.pdf
  • http://www.onegelha.com/wp-content/plugins/super-forms/uploads/php/files/ef1d4c548e1acf78a16289ca3a9c24df/44655407316.pdf
  • https://www.lightingsolutionsinc.net/wp-content/plugins/super-forms/uploads/php/files/cce25dca1a20c7b2e0c97e0c0cf1db8e/jegisufenefixugelowefuba.pdf
  • http://bestforfishing.com/wp-content/plugins/super-forms/uploads/php/files/062f6b3fe00a8b9c9da408b9dd863dd7/fabajirutupavezamep.pdf
  • http://asesorialuishervas.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606d43503d3b1---latafiredobosobe.pdf
  • http://opalbiosciences.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606ee3f506a78---tolawufim.pdf
  • https://comesa.com.pe/wp-content/plugins/super-forms/uploads/php/files/n0nb9l7nmqffck38rj99aau9a5/40565944489.pdf
  • https://pointsourcegroup.com/wp-content/plugins/super-forms/uploads/php/files/2572bd409e5230a32a7c52352c6655e1/nufaxod.pdf
  • https://rescue.bg/wp-content/plugins/formcraft/file-upload/server/content/files/1607a0789adf68---54869176562.pdf
  • https://siyata.co.il/wp-content/plugins/formcraft/file-upload/server/content/files/16074f8a1bf6ea---rakilazejuzipin.pdf
  • http://aeskulap24h.com/wp-content/plugins/formcraft/file-upload/server/content/files/160898cb03dbe5---51672711760.pdf
  • https://forcechicago.com/wp-content/plugins/super-forms/uploads/php/files/212c9e2ea8d26a8cb83bd9ce8ec53615/wiwake.pdf
  • https://xn----7sbabak5acz7byau.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/e8c941fb947c2f8d5a15c412c9d67c80/67354892674.pdf
  • http://andreagarciam.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607a783456759---zekugepiviwigoxepikimaw.pdf
  • http://www.ascendercorp.com/
  • http://www.ascendercorp.com/typedesigners.html
  • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/LPIa9PGmDLg/uplcv?utm_term=alchemy+gold+guide+classic
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://scripts.sil.org/OFL

Open this report in the interactive analyzer, or submit your own file for analysis.