Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://www.findvoters.com/userfiles/file/sikudiwekusanasotasatak.pdf

  • https://akdenizokullari.k12.tr/wp-content/plugins/super-forms/uploads/php/files/uo73fa8k1gsp59ss8jem21pejd/81405282059.pdf
  • http://anonelectronics.com/admin/fckeditor/editor/filemanager/connectors/php/upload_jpg/file/202105290708198395.pdf
  • https://www.kadinlarsitesi.org/wp-content/plugins/formcraft/file-upload/server/content/files/1607c0172807b8---25894768049.pdf
  • https://www.myosiaffiliate.com/199trust/img/file/1672626842.pdf
  • http://www.petersmetalstitching.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/1609d698799bc4---32879971421.pdf
  • https://www.verpoort-bouw.be/wp-content/plugins/formcraft/file-upload/server/content/files/16094d1a068cfb---21384199470.pdf
  • http://informerfitness.com/wp-content/plugins/super-forms/uploads/php/files/1bf453161bf3edf765274525b8eda898/78380056661.pdf
  • http://www.viksexteriors.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b2e73b495bf---vuwotabetumijuvog.pdf
  • http://hanhthien.net/uploads/file/wazofabanisidifel.pdf
  • http://campbellelectronics.com/uploads/97614507656.pdf
  • https://414movement.com/wp-content/plugins/super-forms/uploads/php/files/9bc03cdd0c6c1f489105bff4ec8cdb9b/2394983406.pdf
  • https://ailani.org/wp-content/plugins/super-forms/uploads/php/files/7ed738bb0f7ab762a81ba59426fd5326/66002707727.pdf
  • http://n2nnetworks.com/files/others/90533417956.pdf
  • http://www.klpreschool.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606c965d8ddd5---gunavogawe.pdf
  • https://mercedesmazo.es/wp-content/plugins/formcraft/file-upload/server/content/files/160be4a8f61a93---677914683.pdf
  • https://theshairpodcast.com/wp-content/plugins/super-forms/uploads/php/files/b4e13f2be79dfde3d27b94f269b50f5e/nuxakakurowatanumiliwug.pdf
  • http://pocatellocampfire.com/wp-content/plugins/super-forms/uploads/php/files/ra3mje2ipec00u7oj7ailk7kp6/xebodenukegobagudek.pdf
  • http://gillsandgeckos.com/userfiles/file/15768402859.pdf
  • https://postscriptproductions.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a32a2d95e3a---57271553066.pdf
  • https://beautifullifeuk.com/wp-content/plugins/super-forms/uploads/php/files/a13ddd9dee026d889181a6941227556e/gakesemod.pdf
  • http://arcomproltd.com/userfiles/file/xidumatizatatone.pdf
  • https://bio86.net/fichiers/47681568168.pdf
  • http://hndgyl.com/v15/Upload/file/202166736349343.pdf
  • https://idfusionllc.com/wp-content/plugins/super-forms/uploads/php/files/6fef79cee27bca78b1e0293a1f82f2bd/86919937447.pdf
  • http://techniq.ae/admin/uploadfiles/file/2575188004.pdf
  • http://paillasse.hu/userfiles/file/dutufenagijiduwapinomovif.pdf
  • https://feedproxy.google.com/~r/skout/mBVl/~3/YTWXjIUwRh0/uplcv?utm_term=final+conditional+lien+waiver
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://dejavu.sourceforge.net
  • http://dejavu.sourceforge.net/wiki/index.php/License

Open this report in the interactive analyzer, or submit your own file for analysis.