Malicious PDF — malware analysis report

Heuristics 5

• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://dafemum.ru/strik?utm_term=pleasant+hearth+pellet+stove+replacement+glass

  • http://dalnoboyi.xyz/surah_mulk_with_urdu_translation_download9p9nf.pdf
  • https://cdn.sqhk.co/rokijatu/atjw5jc/8303550027.pdf
  • https://cdn.sqhk.co/baxoladipezu/2ygdiiC/game_center_app_iphone_download.pdf
  • http://my-favshopf.online/maytag_quiet_series_300_drain_grateokmot.pdf
  • http://bejonigu.22web.org/angry_birds_2_o_filme.pdf
  • http://complect-tech.ru/tatuwojukedejazavakepajul3noex.pdf
  • http://grigolia-studio.ru/jitujavopefw5ajh.pdf
  • http://www.ascendercorp.com/
  • http://www.ascendercorp.com/typedesigners.html
  • http://www.daltonmaag.com/
  • https://2e81f42f-67f9-46a9-89e2-a5f3ab3b03ee.filesusr.com/ugd/f138f5_30b94a4ac7004c6e95be21dd764db361.pdf?index=true
  • https://937a8a2d-b41a-4163-aff8-eda6db263557.filesusr.com/ugd/21e6f2_3a5aa8ab22cb43068983ca8add2603f1.pdf?index=true
  • https://57ead060-d7b3-4f59-a803-6c9b47c0028a.filesusr.com/ugd/f30481_a67253f79c934516bbffe4894aa0bb57.pdf?index=true
  • http://pilorivebapo.rf.gd/nesolagelukodilenaseji.pdf
  • http://dagogedimin.rf.gd/5538212389.pdf
  • https://2acf176d-1645-44e4-83be-c67f7ac9af6b.filesusr.com/ugd/e72dd6_8f7f9a437039443d92a13e2395e534e5.pdf?index=true
  • https://b81e1767-bb0d-4562-9f98-cfef66859bb1.filesusr.com/ugd/b48b60_39f39702acdf42a0968e666f51bcd02e.pdf?index=true
  • http://numaxap.epizy.com/zumowipapizaxomil.pdf
  • https://e7ba4f66-d023-404d-a355-a5b98970f127.filesusr.com/ugd/cac9e4_041c7c46d128442ca5110f9f7673c333.pdf?index=true
  • http://vibulowivez.epizy.com/51041168172.pdf
  • https://e6676b24-921d-4f57-8fca-beda98688f3c.filesusr.com/ugd/144d27_9ed18bb0b05e4f2f87dc8d2d8180b674.pdf?index=true
  • https://7fd672c9-0ac8-42d3-9d3c-9ebb2fbea2b4.filesusr.com/ugd/92785a_681a7507f4d94491b2a49b8b96ae8a85.pdf?index=true
  • https://12a3aa02-022d-4218-8efb-90aa4388683d.filesusr.com/ugd/6dfd9b_78e5c063be8e4bc3a374bcfcc11ee74d.pdf?index=true
  • https://47ab6ce1-aee6-4086-a8e7-31fe393d2411.filesusr.com/ugd/afbef4_a60f9327399544db97c1caa60853f8f3.pdf?index=true
  • https://6c8027e1-9878-41b3-a9ef-32ba2b6bcd02.filesusr.com/ugd/185811_7bf1e371c8e546cbbc4de3437dc6e652.pdf?index=true
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://scripts.sil.org/OFL

Open this report in the interactive analyzer, or submit your own file for analysis.