Malicious PDF — malware analysis report

Heuristics 5

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://lamorenj.com/userfiles/files/37120357071.pdf

  • https://www.kiteschule-eckernfoerde.de/wp-content/plugins/formcraft/file-upload/server/content/files/1613d1210074b2---boneko.pdf
  • http://jamones-luna.shopcloud.es/ckfinder/userfiles/files/dasonetawepozolima.pdf
  • http://korea-seals.com/ckfinder/userfiles/files/biwozejew.pdf
  • http://jyjwqj.com/uploadfile/file///2021091203060179.pdf
  • https://perfecthospitals.org/FCKeditor/file/pivibofewexatewev.pdf
  • https://marblo.marblobaths.ph/app/webroot/img/files/degorovo.pdf
  • https://travelworld.ro/userfiles/file/69719316333.pdf
  • http://knshzj.com/CKEdit/upload/files/91701708217.pdf
  • https://www.c2commercial.com/wp-content/plugins/super-forms/uploads/php/files/f67d617da48468a1ed91979f43e9fec3/89462980952.pdf
  • https://rebates.forex/wp-content/plugins/super-forms/uploads/php/files/5boro5gl2b5klbc9gu8j43fja2/bufusonomulitozo.pdf
  • https://betonwerkendejonge.nl/wp-content/plugins/formcraft/file-upload/server/content/files/16136bbaacf600---57954780246.pdf
  • https://oknoplus-omsk.ru/wp-content/plugins/super-forms/uploads/php/files/789bc2278ee7bada88558591bec40fec/39745190470.pdf
  • https://confidence-ist.com/ckfinder/userfiles/files/pemiwirupugomomopen.pdf
  • https://liepasmuiza.lv/userfiles/library/20715696498.pdf
  • http://americandeliorder.com/uploads/files/wigubivefegome.pdf
  • http://c2mag.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613bb2687893e---34076182741.pdf
  • https://valeaflorilor.ro/img/uploads/file/nekuxanipipisubazu.pdf
  • http://merwepizza.com/upload/file/26162053477.pdf
  • http://evabody.ro/wp-content/plugins/formcraft/file-upload/server/content/files/1614287d5a7553---74489945988.pdf
  • http://puebloexec.com/userfiles/file/levive.pdf
  • http://kolkandkolkdesign.com/site/data/ws/files/katadosuwuwuwujexipalu.pdf
  • http://abc-tel.ru/data/File/26475779009.pdf
  • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/FevRqgeaUVY/uplcv?utm_term=android+auto+custom+apps
  • http://dejavu.sourceforge.net
  • http://dejavu.sourceforge.net/wiki/index.php/License

Open this report in the interactive analyzer, or submit your own file for analysis.