Malicious PDF — malware analysis report

Heuristics 5

• ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://www.highlandmetals.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/16075b5d1ebb88---gabatado.pdf

  • https://www.focus.mu/wp-content/plugins/super-forms/uploads/php/files/208e53eaa0f0e817f90de0cb45f6a0c5/31172513152.pdf
  • https://www.picmephotoboothhire.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/16096afbe4508f---fekoxurejule.pdf
  • http://aisef.org/uploads/userfiles/file/file/dejobisedinenevisaf.pdf
  • https://baconbites.com/wp-content/plugins/super-forms/uploads/php/files/o74v8kq463plnjq88lj9ee4ka1/89989406130.pdf
  • https://provisionsinternational.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606f655bb89e3---41482459360.pdf
  • http://www.iycadana.org/wp-content/plugins/super-forms/uploads/php/files/75kafb40a20hd01sh3ll5lf0p3/worugifoxu.pdf
  • http://architects-desk.com/uploadsfile/bamifo.pdf
  • https://perleyparish.org/wp-content/plugins/super-forms/uploads/php/files/0958cc22b3a1dc2101e1241b2d54c4a7/5568456878.pdf
  • https://morethancleaningservices.com/wp-content/plugins/super-forms/uploads/php/files/cb00d5edd98e2de6f55a1f858b6bdb4e/fedoxivopi.pdf
  • https://ludifrance.fr/userfiles/file/6725766111.pdf
  • http://monkey-do.net/userfiles/file/62205095340.pdf
  • http://www.ashtralmedia.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608eec1242a39---79704950368.pdf
  • https://cashmeredreams.com/wp-content/plugins/super-forms/uploads/php/files/8b418c6a8ba30c76e4397f663bf5d5d9/pixusigazixexesub.pdf
  • https://atcotourismtravel.com/userfiles/file/tazesafumagiloripubewu.pdf
  • http://www.x454.com/wp-content/plugins/super-forms/uploads/php/files/c7juqg9tep1622a31smnn7di07/70225173249.pdf
  • http://www.belladermeestetica.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160701cfb0ce8d---nogiliki.pdf
  • http://www.ascendercorp.com/
  • http://www.ascendercorp.com/typedesigners.html
  • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/3CAf4wW3hvY/uplcv?utm_term=abaxis+piccolo+manual
  • http://scripts.sil.org/OFL

Open this report in the interactive analyzer, or submit your own file for analysis.