Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://polinagerz.ru/wp-content/plugins/super-forms/uploads/php/files/9c5pdos77vk1ki743j06fkfvm2/70352438204.pdf

  • https://milsagliksen.org/upload/ckfinder/files/xubig.pdf
  • http://kindervakantieweekdeurne.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160a2634f447ac---34986626437.pdf
  • http://skincarebylaura.com/clients/862251/File/45966608237.pdf
  • http://endustriyelkiralama.com/wp-content/plugins/super-forms/uploads/php/files/51n9805krjh3sb9gj3f6bcrdrj/36102984546.pdf
  • http://www.iycadana.org/wp-content/plugins/super-forms/uploads/php/files/bm0pmvl5u0nhcjn0nqisrb7sg6/20144549097.pdf
  • http://www.olympussverige.se/wp-content/plugins/super-forms/uploads/php/files/qc2llksm978r9q7hion19pd3it/pupanipede.pdf
  • https://proff-doors.ru/wp-content/plugins/super-forms/uploads/php/files/a67d2d824ba22bcfe79a8f9e62fe9638/bokepiloritaxe.pdf
  • https://vivaldiroberto.com/img/files/mediafiles/file/pajizujulew.pdf
  • https://monarchwinemerchants.com/wp-content/plugins/super-forms/uploads/php/files/1982ba7e2c0baa1c0ecf16d9e2c72977/fokoruvewadoraxokatap.pdf
  • http://pulsrmedia.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607dafb958da5---vapixepuruzurig.pdf
  • https://www.stamfordtaxis.com/wp-content/plugins/super-forms/uploads/php/files/3jmf7gu0u1p74fh7klr72os88e/3597714249.pdf
  • https://www.scanworld.se/wp-content/plugins/formcraft/file-upload/server/content/files/1609827a965a0f---25144588180.pdf
  • http://www.ambredore.com/wp-content/plugins/formcraft/file-upload/server/content/files/16087a99602ace---worasufedusedukuwamakujem.pdf
  • https://unique.global/wp-content/plugins/super-forms/uploads/php/files/f2d53a04fccdfc213c287e2006ff25ff/120422473.pdf
  • https://cwlighting.com/wp-content/plugins/super-forms/uploads/php/files/22c3158860f776a8e6de075ed03473fa/50849637224.pdf
  • http://www.skupp.pl/wp-content/plugins/formcraft/file-upload/server/content/files/1606e8650741f8---74467111145.pdf
  • https://tripleccompanies.com/wp-content/plugins/super-forms/uploads/php/files/35a43e4524cf7f0d7ea5b4a6c600dbbf/xeduje.pdf
  • http://uyaviation.com/wp-content/plugins/formcraft/file-upload/server/content/files/160e0df7a8edd2---setelotol.pdf
  • https://blueridgelightingandcontrols.com/wp-content/plugins/super-forms/uploads/php/files/7fce5d1d7b0c494c25e7152a4a520024/riviguxafopurawiz.pdf
  • http://dabien.co.kr/wp-content/plugins/formcraft/file-upload/server/content/files/16072d709a715b---47013501291.pdf
  • https://aldea.work/wp-content/plugins/super-forms/uploads/php/files/783180cc7b80a3bbf8306b01251fb853/29681156974.pdf
  • https://oklogistic.lv/upload/file/15788614461.pdf
  • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/GLLx1DTH0VQ/uplcv?utm_term=would+have+should+have+could+have+use
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://dejavu.sourceforge.net
  • http://dejavu.sourceforge.net/wiki/index.php/License

Open this report in the interactive analyzer, or submit your own file for analysis.