Malicious PDF — malware analysis report

Heuristics 5

• ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://cructi.ru/uplcv?utm_term=password+manager+in+iphone

  • https://www.aironface.com/wp-content/plugins/super-forms/uploads/php/files/93c615bfebe2d96b594a5d316d878046/10209706459.pdf
  • https://micro-logic.ro/images/uploaded/file/19960192100.pdf
  • http://svatba-emi.com/uploads/pages/files/90703190160.pdf
  • http://www.focitabor.hu/userfiles/file/3594070230.pdf
  • http://alrehabourhome.com/userfiles/files/59258410279.pdf
  • http://tgtech-auto.com/userfiles/file/vibixaletoro.pdf
  • http://clubsahdianagalati.ro/upload/editor/file/53608017710.pdf
  • http://kondicionery-domodedovo.ru/upload_picture/file/42698655412.pdf
  • http://objets.immoweiss.lu/userfiles/files/matamexufibolonipuf.pdf
  • http://www.benyowsky.com/resources/files/gojebemugubuvireduk.pdf
  • http://geometrarontani.it/userfiles/files/peposidu.pdf
  • http://pericosrentcar.com.mx/wp-content/plugins/formcraft/file-upload/server/content/files/1613ceec789d3d---temudavoleje.pdf
  • http://notariocprietoa.com/notaria/documentos/files/renifupajisemewiro.pdf
  • http://www.sbawerribee.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/16136781d48815---fofefapufaboroj.pdf
  • https://zzhqhi.com/d/files/34010034960.pdf
  • http://mouaumfb.com/wp-content/plugins/formcraft/file-upload/server/content/files/16134ffa476289---sojujukefonikopagabajan.pdf
  • http://eyela.kr/uploadfile/fckeditor/file/xuwazefajapepu.pdf
  • http://myoffice2561.sesao33.net/UserFiles/File/76063226547.pdf
  • http://pitchdecor-construction.com/user_img/files/roneneg.pdf
  • https://geneolock.com/ckfinder/userfiles/files/gevewadipaminok.pdf
  • https://www.prshots.com/ckfinder/userfiles/files/68521897171.pdf
  • http://griesvoegwerken.nl/UserFiles/file/getukufedep.pdf
  • http://commune-bourre.com/userfiles/file/fapanomulejunuwojoz.pdf
  • http://susasoft.com/upload/userfiles/files/44794750191.pdf
  • https://bocrangsuthammy.vn/upload/files/zizejerubufomujetidarire.pdf
  • http://dejavu.sourceforge.net
  • http://dejavu.sourceforge.net/wiki/index.php/License

Open this report in the interactive analyzer, or submit your own file for analysis.