Malicious PDF — malware analysis report

Heuristics 7

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
  Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://ponafet.ru/wix?keyword=ghost+world+pdf+download PDF link annotation

  • https://farazekij.weebly.com/uploads/1/3/4/3/134379469/f8d3640b7ad7c6f.pdfIn PDF document text
  • https://dowozazufexu.weebly.com/uploads/1/3/4/6/134606261/9672844.pdfIn PDF document text
  • https://jusopusoguwukul.weebly.com/uploads/1/3/4/4/134494455/2685329.pdfIn PDF document text
  • http://dalifajebuxog.scienceontheweb.net/jodidoxefoberex.pdfIn PDF document text
  • https://bilezebije.weebly.com/uploads/1/3/4/3/134344171/7884f5a597dbd.pdfIn PDF document text
  • https://sedonefuwetupo.weebly.com/uploads/1/3/4/6/134669082/9640842.pdfIn PDF document text
  • http://www.ascendercorp.com/In PDF document text
  • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
  • http://www.daltonmaag.com/In PDF document text
  • https://755d026c-fd58-4633-9ca9-8af24261f473.filesusr.com/ugd/4622eb_1e75fd32e05342568b575ec02c2fb7c0.pdf?index=trueIn PDF document text
  • https://e668d0bc-6b9c-4787-ac64-5363b724ef62.filesusr.com/ugd/6ec699_81f15767513745e6be34eda2718abe3f.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/81df5390-987e-4f40-8920-34ffab0065e7/kenmore_elite_microwave_model_721_light_bulb.pdfIn PDF document text
  • https://321e46d8-a3e9-4523-905f-b0dcd1dcb7ef.filesusr.com/ugd/29fbc3_0b33b84ca71e484889cec496b6ce5028.pdf?index=trueIn PDF document text
  • https://9a4b5e96-23fe-4021-9525-787506808755.filesusr.com/ugd/b3318b_118b327b1b594314967190f5c7631478.pdf?index=trueIn PDF document text
  • https://e31b828f-dd5d-4b35-abba-5777d5fc2ed6.filesusr.com/ugd/56a8cc_57964545b7824436ae1b68649f2e390a.pdf?index=trueIn PDF document text
  • http://doriponesarom.myartsonline.com/full_body_stretch_routine.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/31b06199-2110-44e3-921a-9d8e8c0628ab/losixo.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/bd73d6d0-efee-45f4-8d44-d320ed649d52/doubledown_casino_app_store.pdfIn PDF document text
  • https://40e214c1-1950-44e8-a195-e2c6eeb23253.filesusr.com/ugd/a517f4_daf17d22ce674617b0eb55c46a11a7c8.pdf?index=trueIn PDF document text
  • https://d0a6b1b1-1773-4622-8b5e-0ab5990a7ed3.filesusr.com/ugd/b90ba1_3f100ad75e5544e18babb8bf60869d3e.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/02581d01-8462-4ea2-a2f0-7aa175ecb821/does_walmart_sell_pulse_oximeters_in_store.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/66d3bbe2-c05e-4ad3-a317-5b4ddc1cd690/troy_bilt_pony_tiller_belt_replacement.pdfIn PDF document text
  • https://76ed6b59-b034-43ac-b949-e1c08f76e3cb.filesusr.com/ugd/ee6100_0ad5394fdfdd4ba29a492cb9472f61d0.pdf?index=trueIn PDF document text
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://scripts.sil.org/OFLIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.