Malicious PDF — malware analysis report

Heuristics 7

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
  PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 69 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://planet-for-events.de/userfiles/file/67564241747.pdf

  • https://artenika.pl/fck/file/32886235112.pdf
  • https://pfgmm.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160ab05be23d8b---74422354971.pdf
  • http://info56.ru/userfiles/file/kakazurabuma.pdf
  • http://elenasteele.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607bf18d2e2d0---julufanigafowodibetuki.pdf
  • http://dachastyle.com/userfiles/file/74329185965.pdf
  • http://dabien.co.kr/wp-content/plugins/formcraft/file-upload/server/content/files/1607284fe0c936---88171740643.pdf
  • http://www.majoriscambio.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1609727546ef3f---xuvemixabikodibubub.pdf
  • http://ipvoicenj.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c87760bc308---tevaxarowidebegogoro.pdf
  • https://sv-fin.ru/wp-content/plugins/super-forms/uploads/php/files/839576c3e8a4fe893132d48636809295/69062486488.pdf
  • http://anhuishangbiao.com/upload_fck/file/2021-6-22/20210622143941169297.pdf
  • https://www.medicalart.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/1606e798cd784c---71880816527.pdf
  • http://foto-preiss.at/upload_files/files/72445728794.pdf
  • http://sshs1962.info/clients/3/33/33dcd814b32da85629335a95ab3d0158/File/remerajefasifer.pdf
  • https://kayakbranson.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ae3cc5b173c---54492551519.pdf
  • https://hightechrustremovers.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160bd96f64161a---xapapitamujis.pdf
  • http://fullcolorspandoeken.nl/userfiles/file/53439403656.pdf
  • https://www.ideaklinikizmir.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607f255391343---nenav.pdf
  • http://animalscipublisher.com/files/upfiles/file/fuzotevuluven.pdf
  • https://girilawfirm.com/content_files/files/40674753262.pdf
  • http://kamnitikamini.si/upload/files/vuguxexekabutipijuzajul.pdf
  • https://www.traveltimevipp.com/wp-content/plugins/super-forms/uploads/php/files/5fd5482d1ca0f94028dd76b296ca8302/zujebopote.pdf
  • http://viaterrestre.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16072ba3ad15f8---duwobob.pdf
  • https://dmvassociates.com/wp-content/plugins/super-forms/uploads/php/files/c263ba65f37e78e0d77799cb5d846142/18893880885.pdf
  • https://thietbivesinhanhhuy.com/asset/files/wolimizevogagaw.pdf
  • https://malimbe.africa/wp-content/plugins/super-forms/uploads/php/files/6f5a8954f8eda640a06c64081e816e27/96355442114.pdf
  • https://xn----7sbbjg7ctfs.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/d70474b24d959ba397aea3ddf0a72343/47527242836.pdf
  • https://feedproxy.google.com/~r/skout/mBVl/~3/3vuEKuznOb8/uplcv?utm_term=hershey+chase+experiment+diagram
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://dejavu.sourceforge.net
  • http://dejavu.sourceforge.net/wiki/index.php/License

Open this report in the interactive analyzer, or submit your own file for analysis.