Malicious PDF — malware analysis report

Heuristics 5

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://gulertrafik.com/wp-content/plugins/super-forms/uploads/php/files/ieh254srkl5jdctso0biblqgdn/lunogagikajapobuzij.pdf In PDF document text

  • http://iwish-cosmetics.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606e5a2bf413f---5345360341.pdfIn PDF document text
  • http://sh8ke.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609342134282c---filixebewuzusegopisaza.pdfIn PDF document text
  • http://www.putnamtaxi.net/wp-content/plugins/formcraft/file-upload/server/content/files/1608a58c935b38---827985746.pdfIn PDF document text
  • https://www.modianodesign.com/wp-content/plugins/formcraft/file-upload/server/content/files/16086d2a3d60a8---55143932532.pdfIn PDF document text
  • https://qboardapp.com/wp-content/plugins/super-forms/uploads/php/files/94092a951d3aecd401eb91cd51faff80/19221606443.pdfIn PDF document text
  • https://akapacha.com/userfiles/file/72601725970.pdfIn PDF document text
  • https://www.hungryalex.com/wp-content/plugins/super-forms/uploads/php/files/575nbfvim3nnqaeccbe9c5k7c9/92874668179.pdfIn PDF document text
  • https://alphaveneers.co.uk/wp-content/plugins/super-forms/uploads/php/files/fbbfcf39e29bb87edfb413e6ad674a24/redovavorixorurefamu.pdfIn PDF document text
  • https://dsodrecital.com/wp-content/plugins/formcraft/file-upload/server/content/files/16088d34411908---gedazurumoso.pdfIn PDF document text
  • https://atlanthealth.com/wp-content/plugins/super-forms/uploads/php/files/d095070d0d8d62509a90998a37e4d364/seguxol.pdfIn PDF document text
  • https://www.generalutilities.com/wp-content/plugins/formcraft/file-upload/server/content/files/160931e5f43855---gapaluto.pdfIn PDF document text
  • https://realwebguys.com/wp-content/plugins/formcraft/file-upload/server/content/files/16075ffe9d421e---15516909615.pdfIn PDF document text
  • https://3dreamstudios.com/wp-content/plugins/super-forms/uploads/php/files/f413e5186633717feab450150085fce9/timadaxadomonuvurogo.pdfIn PDF document text
  • https://feedproxy.google.com/~r/skout/mBVl/~3/S30rS-6n6vg/uplcv?utm_term=3d+photo+effect+androidPDF link annotation

Open this report in the interactive analyzer, or submit your own file for analysis.