Malicious PDF — malware analysis report

Heuristics 6

• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
  Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://botokaw.ru/award?keyword=rte+admission+2020+20+form+pdf

  • http://gmetry.online/16014845190zwjic.pdf
  • http://wei-nmvc.com/56464137346h4pz7.pdf
  • https://kisewosa.weebly.com/uploads/1/3/1/0/131070890/3939346.pdf
  • http://mail-autoscout24.net/luwolizodixo7bhrf.pdf
  • https://cdn.sqhk.co/tapowifilez/hdihhaw/incantation_and_ritual_flute_sheet_music.pdf
  • https://cdn-cms.f-static.net/uploads/4415326/normal_60182d8a33d98.pdf
  • https://konizalo.weebly.com/uploads/1/3/5/3/135388679/1f4a41a51.pdf
  • https://static.s123-cdn-static.com/uploads/4408483/normal_5ffdb3f59717b.pdf
  • https://cdn.sqhk.co/saseponirifa/Vmif10a/disney_plus_subscription_support_phone_number.pdf
  • http://trafikcezaodebayisi.com/rakoxeveavs2k.pdf
  • https://cdn-cms.f-static.net/uploads/4367632/normal_600b6a105df70.pdf
  • https://static.s123-cdn-static.com/uploads/4368996/normal_5ff21368ee986.pdf
  • https://cdn.sqhk.co/pukikojat/ijyYELg/tadoniribop.pdf
  • http://otomail.business/18231902491z3o53.pdf
  • http://www.ascendercorp.com/
  • http://www.ascendercorp.com/typedesigners.html
  • https://uploads.strikinglycdn.com/files/c427f36e-e2b1-4d5e-bab8-fed4daf8bab9/naxizekolebafu.pdf
  • https://uploads.strikinglycdn.com/files/b7ac6d68-0a9a-48ce-8fc3-05762f127224/reading_like_a_writer_quotes.pdf
  • https://uploads.strikinglycdn.com/files/99b6a8ce-9aa9-4221-8bf9-8a15e35a5340/graphic_design_bookstore_amsterdam_course.pdf
  • https://uploads.strikinglycdn.com/files/b87e0390-7990-4219-a031-2514dfe949ff/9503927943.pdf
  • https://uploads.strikinglycdn.com/files/5c323fdb-c74a-4479-abfd-3c50e48bc6e1/is_lady_bird_lake_trail_open.pdf
  • https://uploads.strikinglycdn.com/files/0ebe8299-b21a-4b1a-b9ca-2bb864f213d4/att_u_verse_tv_codes_remotes.pdf
  • https://uploads.strikinglycdn.com/files/60961696-8e3c-45f6-b8e2-9ec455cfe8ef/dadiwuve.pdf
  • https://uploads.strikinglycdn.com/files/de8fe913-24f9-42dc-83fa-0db4f13bc94d/vojonumuxipulamipo.pdf
  • https://uploads.strikinglycdn.com/files/69ef12fc-fc9d-4121-8c29-7b8e4dcfb43e/fisher-price_auto_rock_n_play_manual.pdf
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://scripts.sil.org/OFL

Open this report in the interactive analyzer, or submit your own file for analysis.