Malicious PDF — malware analysis report

Heuristics 6

• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
  Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://maypoin.ru/strik?utm_term=jesus+mi+fiel+amigo+letra+tab

  • https://dubitofux.weebly.com/uploads/1/3/4/4/134458445/0ecf993c4.pdf
  • https://xajevopo.weebly.com/uploads/1/3/2/6/132682124/8229535.pdf
  • https://movimuwetimegi.weebly.com/uploads/1/3/4/3/134342740/pamixu_naxomakudu.pdf
  • http://www.ascendercorp.com/
  • http://www.ascendercorp.com/typedesigners.html
  • https://uploads.strikinglycdn.com/files/4a0f86e1-7bed-4910-b0a6-ea1c344241ba/51704235436.pdf
  • https://s3.amazonaws.com/dutimajizowa/73940397105.pdf
  • https://uploads.strikinglycdn.com/files/805106d5-7803-4ae9-a8f5-c925a5f2c952/27074436178.pdf
  • https://s3.amazonaws.com/banula/25635353458.pdf
  • https://uploads.strikinglycdn.com/files/9f7062ee-8ed3-4561-9352-3ec9210be996/bafuziko.pdf
  • https://uploads.strikinglycdn.com/files/85b2d09e-3f09-4902-baca-06b21c5a127b/cen-tech_infrared_thermometer_battery_replacement.pdf
  • https://uploads.strikinglycdn.com/files/b82a85f2-5979-4d19-b1ac-1c019075e9c3/the_storyline_of_little_red_riding_hood.pdf
  • https://uploads.strikinglycdn.com/files/75e5e812-7ce1-4f3a-8054-c41ef4694f26/app_development_for_beginners.pdf
  • https://s3.amazonaws.com/tumuzu/certificate_of_origin_template_india.pdf
  • https://48cc712b-de5e-493e-a198-f8962849e22b.filesusr.com/ugd/d2751c_e0961d644681472db59bbfd9a61d64ce.pdf?index=true
  • https://uploads.strikinglycdn.com/files/c2df6efb-e367-4f5f-8308-936668610060/best_nfl_40_yard_dash_times.pdf
  • https://uploads.strikinglycdn.com/files/3e1df91d-0dd2-436d-b864-ead492a3e073/sejatasufunipokovurug.pdf
  • https://uploads.strikinglycdn.com/files/4f5b35e3-ebc9-4ccf-a339-663b592e5344/97810400194.pdf
  • https://uploads.strikinglycdn.com/files/fc1eaac5-2e3a-44b3-8fe7-8929ef2ccd82/givotos.pdf
  • https://s3.amazonaws.com/warapagefasovi/40074564773.pdf
  • https://s3.amazonaws.com/regufojalojaza/code_vein_all_blood_codes_guide.pdf
  • https://uploads.strikinglycdn.com/files/e7c79301-eecf-4625-b0c5-ebd48576808f/stihl_fs55r_carburetor_diagram.pdf
  • https://78f121e6-5824-477f-9480-4bf23eba804c.filesusr.com/ugd/9564ad_93b5892db4574d33af316ae21e818557.pdf?index=true
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://scripts.sil.org/OFL

Open this report in the interactive analyzer, or submit your own file for analysis.