Malicious PDF — malware analysis report

Heuristics 7

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
  Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://nuyewpilot.academy/wp-content/plugins/super-forms/uploads/php/files/d213faaed83abbca89a1ab4e8bd5de2c/73870405848.pdf In PDF document text

  • https://hogozaty.com/ckfinder/userfiles/files/gozurafuwitekumudikudov.pdfIn PDF document text
  • https://gbeequestriansurfaces.com/wp-content/plugins/super-forms/uploads/php/files/as9mh9qk3il1vl2bt1rlivlt15/16066763386.pdfIn PDF document text
  • http://annassteen.com/ckfinder/userfiles/files/dozitupi.pdfIn PDF document text
  • https://www.uniqueartzz.com/wp-content/plugins/super-forms/uploads/php/files/egok2i24f2vn2v88ncjpsvjqir/xuxelawoligamos.pdfIn PDF document text
  • https://harpethvalleyhealth.com/wp-content/plugins/super-forms/uploads/php/files/b6e166a506fe30500a3a1c05b23ff8e0/48213830285.pdfIn PDF document text
  • https://humantouchtranslations.com/wp-content/plugins/formcraft/file-upload/server/content/files/1/1607f697921c0b---tewedisezevumitawutop.pdfIn PDF document text
  • http://gloria-eurex.com/images/blog//file/nonosag.pdfIn PDF document text
  • https://www.deuba.info/wp-content/plugins/super-forms/uploads/php/files/ijfr548qjrfoat19170u81gsq0/tipijujixon.pdfIn PDF document text
  • https://buddingheights.org/wp-content/plugins/formcraft/file-upload/server/content/files/1609f3ec0d3f00---44765518746.pdfIn PDF document text
  • https://avphunter.ro/ckfinder/userfiles/files/gavat.pdfIn PDF document text
  • http://english-island.pl/wp-content/plugins/super-forms/uploads/php/files/rptq3tdt407ub4ssk6qaudi8b5/fojetebobalobe.pdfIn PDF document text
  • https://cashofferoregon.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606ec33d92765---64196155178.pdfIn PDF document text
  • https://baodinhsolar.com/wp-content/plugins/super-forms/uploads/php/files/bcutab5vmi421gknubjbh5f1j4/nosufuxinivuxapadedilis.pdfIn PDF document text
  • https://apparel.allianceflooring.net/wp-content/plugins/super-forms/uploads/php/files/73ac64994b3e71f33625cc8f96b9b5eb/sevulobobazuvojesowubog.pdfIn PDF document text
  • http://southeastern61.com/clients/0/07/0748cf78e2268043913ae7c14e09e996/File/madefosu.pdfIn PDF document text
  • https://careersourceokaloosawalton.com/files/public/12999722020.pdfIn PDF document text
  • https://accesoriosalmayor.com/images/userfiles/file/25713685745.pdfIn PDF document text
  • https://xlux.vn/wp-content/plugins/super-forms/uploads/php/files/bg87lm766552ff6h9rs54vh4n2/38120366947.pdfIn PDF document text
  • http://jagodkaprzedszkole.pl/userfiles/file/tudoduvupasefotipijiwawa.pdfIn PDF document text
  • https://baodinhsolar.com/wp-content/plugins/super-forms/uploads/php/files/46q1ck2c611a0tgl9s53emovbs/falexosod.pdfIn PDF document text
  • https://feedproxy.google.com/~r/Uplcv/~3/6naE_Nh8_CY/uplcv?utm_term=how+to+import+a+song+into+garageband+ipadPDF link annotation
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://dejavu.sourceforge.netIn PDF document text
  • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.