Malicious PDF — malware analysis report

Heuristics 7

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
  PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://parkwestresidences.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d2fc4e73f9c---jodapovun.pdf

  • https://leunamgroup.com/wp-content/plugins/super-forms/uploads/php/files/53388a25d110d3d18172b06906533c60/79795028967.pdf
  • https://www.accidentinjurylascruces.com/wp-content/plugins/super-forms/uploads/php/files/8dpfo248akfn5kqoc757omcub2/dadilutogo.pdf
  • https://gonguyenkhoi.vn/upload/files/mipek.pdf
  • http://queuemanagementsystems.com/wp-content/plugins/formcraft/file-upload/server/content/files/160885171c71f3---sonotigofuf.pdf
  • https://evg-prague.fr/wp-content/plugins/formcraft/file-upload/server/content/files/16097ad5478e71---98487082793.pdf
  • http://polloricowings.com/uploads/files/10622344920.pdf
  • http://cn-polylysine.com/d/files/85791796882.pdf
  • http://re-view.online/fckFiles/file/15917259159.pdf
  • https://postele-z-masivu.sk/ckfinder/userfiles/files/puwubapozivuxagepedejewa.pdf
  • https://ecef-groupe.com/wp-content/plugins/super-forms/uploads/php/files/7v98anv3f334fch7mr9m1jov77/xafinimunodiv.pdf
  • http://luvnchrlysenglishtoys.com/clients/861429/File/kajupo.pdf
  • https://baileyelectrical.services/wp-content/plugins/super-forms/uploads/php/files/j91qbd3c3nv9bb6ip2kak1btn1/xiberomubaditekipawulebo.pdf
  • https://khanikango.in/file/zawogatigijokubole.pdf
  • https://goldenparadisestsimons.com/wp-content/plugins/super-forms/uploads/php/files/31278f422861bf11efa321e7bdbb6d9c/duwokokuvupilijela.pdf
  • http://arunimaflavours.com/userfiles/file/31295899667.pdf
  • https://yuktiedu.com/wp-content/plugins/super-forms/uploads/php/files/26b8f4ea3f66cb522feac7c4c6940e88/titajavubiba.pdf
  • http://fzsvybbs.at/userfiles/file/72842362777.pdf
  • https://remoteworkerclub.com/wp-content/plugins/super-forms/uploads/php/files/fa57412e1892643a39effbc9d8237d7d/sekiw.pdf
  • https://leicht-spb.ru/wp-content/plugins/super-forms/uploads/php/files/aa7298fcfe62bb620f3430859fdc8070/roponuxokozobefam.pdf
  • http://elite-nails.pl/Upload/file/bekabopebew.pdf
  • http://www.sunarnuricomuisvealisverismerkezi.com/wp-content/plugins/super-forms/uploads/php/files/ovvm86knetjnt6p978qmais342/wojikokisabiza.pdf
  • http://shelton1961.com/clients/35589/File/zatidubinaxazapeduropu.pdf
  • http://discarga.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609c245856aa8---66875025222.pdf
  • https://feedproxy.google.com/~r/Uplcv/~3/BvfzZFkJO3s/uplcv?utm_term=boxer+cross+puppies+for+sale
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://dejavu.sourceforge.net
  • http://dejavu.sourceforge.net/wiki/index.php/License

Open this report in the interactive analyzer, or submit your own file for analysis.