Malicious PDF — malware analysis report

Heuristics 7

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
  Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://jottigo.ru/award?keyword=bin+sachivalay+clerk+new+syllabus+2020+pdf PDF link annotation

  • http://zelimuletugebak.22web.org/41523414736.pdfIn PDF document text
  • http://www.ascendercorp.com/In PDF document text
  • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
  • http://www.indictrans.orgIn PDF document text
  • https://459fb65c-52af-4c88-885a-43a44fbeaf25.filesusr.com/ugd/6a7407_3e0f7cb50578487da3e0991a216924bb.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/7c609053-e3ec-4647-8a7a-5096bdaff29f/windows_server_2012_r2_iso_download.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/4ceca84e-abc9-4b90-a792-d4624f55865a/sepoxuvuroxidu.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/e907e4fb-2788-4aed-8221-cfbe49b54ca3/which_information_technology_degree_is_best.pdfIn PDF document text
  • http://pewinajak.epizy.com/48827775740.pdfIn PDF document text
  • http://zuvujenil.rf.gd/wanirokogow.pdfIn PDF document text
  • https://51364a6b-283d-4537-b9df-48522fd8faf2.filesusr.com/ugd/921180_dfd54353945a455492c7e9d50cb4b2c9.pdf?index=trueIn PDF document text
  • https://9005a25f-7293-4a73-bb0f-bc58e8c16807.filesusr.com/ugd/e3834b_f5a05ad9ff764df2a94aa71e17aa707f.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/c45186e3-26e5-4c66-beb5-7904f500d88b/zte_z233vl_tracfone_manual.pdfIn PDF document text
  • http://diretivik.rf.gd/sepuxuwalawexitone.pdfIn PDF document text
  • https://d1ee23ee-9ccf-45b0-80ef-1e1ff1f657c4.filesusr.com/ugd/9ef0c3_95b21f37489b4be087b6666bf1f0cb61.pdf?index=trueIn PDF document text
  • https://07e0a16e-b77d-475b-b724-88bbaedb347c.filesusr.com/ugd/8e9e2f_a4cd21c29f0f4986b9605f7ae7dcfe4b.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/ff59f5e9-bf9e-4969-9c9b-241bcc97a36f/battery_tender_jump_starter_reviews.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/3105c790-e385-4ee4-b8cf-3390ef9f133e/47346082837.pdfIn PDF document text
  • http://topajikof.epizy.com/varilanozuvalat.pdfIn PDF document text
  • http://vodulisus.rf.gd/cactus_y_suculentas_nombres.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/42533380-5d75-4edc-8316-e36054004e5a/skyrim_how_to_quickly_level_alchemy.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/543f0e2e-4d6a-4b04-9f24-5f7158755a68/capello_clock_radio_reviews.pdfIn PDF document text
  • https://d896c2b7-539c-4146-aa8a-b39d26e096d8.filesusr.com/ugd/a98ecc_58798d1367f44cf197017afee901f5a7.pdf?index=trueIn PDF document text
  • https://4ad55601-b8ab-4ae0-bc0e-e90069072326.filesusr.com/ugd/3aca14_ac5c8cd3868d4bd9890c4df73bc8d9ad.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/8e41b0d3-8b9d-4af5-be61-9da13eb8e836/how_to_design_gear_tooth_profile.pdfIn PDF document text
  • https://c183b790-cb34-49aa-848e-1a9f2b14dda3.filesusr.com/ugd/d8966e_f7643afdade04dff8bb3534f8b3b93bd.pdf?index=trueIn PDF document text
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://scripts.sil.org/OFLIn PDF document text
  • http://dejavu.sourceforge.netIn PDF document text
  • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.