Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://mezovuduw.ru/strik?utm_term=james+patterson+new+book+releases+2019 PDF link annotation

  • http://tolumibawaka.iblogger.org/what_is_the_secret_history_of_the_mongols.pdfIn PDF document text
  • https://cdn.sqhk.co/mozoposowi/bhz6jZg/peneme.pdfIn PDF document text
  • https://cdn.sqhk.co/neliwuwo/giUsWRR/fijedofosupizi.pdfIn PDF document text
  • https://cdn.sqhk.co/diwiporeb/iijbHHe/discovery_family_go_roku.pdfIn PDF document text
  • http://www.ascendercorp.com/In PDF document text
  • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
  • https://6e8b94c7-278c-4a65-9c30-8d61c93a8f31.filesusr.com/ugd/9ff9b8_9844a7c287264b1597311ab59c27fbe2.pdf?index=trueIn PDF document text
  • https://e0271a52-a7af-48e9-8a99-924ce320ec62.filesusr.com/ugd/be5703_9b273a76106149adb5728a1d65c18c58.pdf?index=trueIn PDF document text
  • https://8ab1a2d5-e5b1-44c5-a28c-e09959565f0d.filesusr.com/ugd/eb712c_3fe828ff1cfe4e7493699d9ca00cf09d.pdf?index=trueIn PDF document text
  • https://a21f0d7d-5fe0-4a99-a381-3b18266e0880.filesusr.com/ugd/6c313a_e6d7a2be7b074723b9039ccbb20c6933.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/cb865a0b-40bf-471c-82e4-b329127caca3/39717971635.pdfIn PDF document text
  • https://bb74f61c-7045-47bf-9a7e-968101ee373e.filesusr.com/ugd/81ef4b_0364966cf0844b6ba0d09c1eec292ac9.pdf?index=trueIn PDF document text
  • https://98be45bc-63b9-4117-aff7-84a3d4f2c4a0.filesusr.com/ugd/90c678_798ec865aefa4fd6bc89c527570c227b.pdf?index=trueIn PDF document text
  • https://1a6defe7-92a0-4357-8a70-d3bce85d30c9.filesusr.com/ugd/385065_f110091fbafb4b358feb217f42fa4a62.pdf?index=trueIn PDF document text
  • https://f815f12b-539f-4060-8ed9-abd2caada31b.filesusr.com/ugd/ceb2e8_ac64acc7a0ad47ee824c55879244292b.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/c437252b-2f06-4810-88fb-e6918e5439a3/97586437728.pdfIn PDF document text
  • https://0c1adbbe-b65a-4c28-9da2-87cea21e0636.filesusr.com/ugd/496951_14340ffaf5454c609704ecbf13ae3802.pdf?index=trueIn PDF document text
  • https://11fe2947-f393-4df3-905d-f9f3730e834a.filesusr.com/ugd/b1b16e_ecd31b65dcd74cfaaf8e0b4d462769eb.pdf?index=trueIn PDF document text
  • http://nipesuvaz.epizy.com/17107878950.pdfIn PDF document text
  • https://4ef57e19-9a2e-4e6f-a444-f6b59f982a39.filesusr.com/ugd/4c1554_e362795f90ec4fb0af0c7b8595b83d7c.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/5baa3d49-b076-4823-a84b-bf436678af25/7151639075.pdfIn PDF document text
  • https://636e06b3-920c-4898-b827-ef778bbbc101.filesusr.com/ugd/40512e_30191480acb24b40ac3ff174dff377ff.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/7f98b95c-9eb2-45d6-8685-c9660f106f7d/wevulupebepi.pdfIn PDF document text
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://scripts.sil.org/OFLIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.