Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://inwebjor.ru/uplcv?utm_term=if+else+in+function+r PDF link annotation

  • http://project-lovcen.me/userfiles/file/33745924162.pdfIn PDF document text
  • https://www.lightingdynamics.com/wp-content/plugins/super-forms/uploads/php/files/130eb260541168bf0a23ea88ba4732b2/73161707919.pdfIn PDF document text
  • https://www.sacproblemleri.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ad1cb22b64d---sotubir.pdfIn PDF document text
  • http://lavera.it/wp-content/plugins/formcraft/file-upload/server/content/files/16072c759d5c8d---98395799155.pdfIn PDF document text
  • http://xn----8sbxab3abskk3a2j.xn--p1ai/media/file/85912688836.pdfIn PDF document text
  • http://cuatudongnhatrang.com/uploads/files/loxujunaxevizapo.pdfIn PDF document text
  • https://evocative.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160c8805416a81---37255924833.pdfIn PDF document text
  • https://alenakovalchuk.ru/wp-content/plugins/super-forms/uploads/php/files/cf0ade6eddad3bd215f144b24a3fd5b5/tiwirew.pdfIn PDF document text
  • http://bielwod.com/userfiles/file/36923476808.pdfIn PDF document text
  • http://www.ibadirect.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b2ac12b8ba9---82455259256.pdfIn PDF document text
  • http://hellnocancershow.com/wp-content/plugins/formcraft/file-upload/server/content/files/160adbbc4ca2ad---92592791793.pdfIn PDF document text
  • http://musicpark-live.de/userfiles/file/sefuxen.pdfIn PDF document text
  • http://glotecgh.com/upload/editor/file/83164889210.pdfIn PDF document text
  • https://www.cr-sdc.org/wp-content/plugins/super-forms/uploads/php/files/f3532ecf318e1fd595ac99974a9a0f0b/memijivopireb.pdfIn PDF document text
  • http://pensacolahigh1964.com/clients/1/1d/1d652d7f5bd5fd2f3712913460b20393/File/64241672460.pdfIn PDF document text
  • https://www.pfgpartners.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1607897a390d3b---82909174273.pdfIn PDF document text
  • https://themodernla.com/wp-content/plugins/super-forms/uploads/php/files/eac75a51e021a5ff7e60a30e3a0819b5/4153347097.pdfIn PDF document text
  • http://math-talk.kr/wp-content/plugins/super-forms/uploads/php/files/oipg9b5siiroe87mlq7dr7ta9e/88690703681.pdfIn PDF document text
  • https://www.avenueroadadvertising.com/wp-content/plugins/formcraft/file-upload/server/content/files/160732afa9cb75---lanotowopiborugusimar.pdfIn PDF document text
  • https://apoiotelecom.com/imagens/img_fckeditor/file/80364196404.pdfIn PDF document text
  • https://fanaf.com/article_ressources/file/19561694142.pdfIn PDF document text
  • https://www.lashharmony.co.uk/wp-content/plugins/super-forms/uploads/php/files/2qkn17ds40160r526l473lf7a9/fodemixim.pdfIn PDF document text
  • https://bechtoldpaving.com/wp-content/plugins/super-forms/uploads/php/files/89ffc987d7f7cfb717127a1db9adc48e/86228583916.pdfIn PDF document text
  • https://ltgtrends.com/wp-content/plugins/super-forms/uploads/php/files/6ee631c73291e7e6b0f5cc028de65527/1525792278.pdfIn PDF document text
  • http://at2apigroup3.com/contents//files/silogogurujizexitineruzo.pdfIn PDF document text
  • http://bjhtdszdh.com/v15/Upload/file/2021622162183821.pdfIn PDF document text
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://dejavu.sourceforge.netIn PDF document text
  • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.