Malicious PDF — malware analysis report

Heuristics 5

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
  Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://wastran.ru/pbw?utm_term=download+ppsspp+gold+for+pc+free

  • https://static.s123-cdn-static-d.com/uploads/4499995/normal_60b7564495507.pdf
  • https://cdn-cms.f-static.net/uploads/4444353/normal_602760fb6fa69.pdf
  • https://cdn-cms.f-static.net/uploads/4380379/normal_5fdc4bc5ea2bd.pdf
  • https://cdn-cms.f-static.net/uploads/4421473/normal_603e4fa55d884.pdf
  • https://cdn-cms.f-static.net/uploads/4495838/normal_602aff1302e45.pdf
  • http://www.ascendercorp.com/
  • http://www.ascendercorp.com/typedesigners.html
  • https://uploads.strikinglycdn.com/files/f07f4d13-64ca-41c7-bd71-be0f5965babf/how_much_do_david_and_annie_make_on_90_day_fiance.pdf
  • https://uploads.strikinglycdn.com/files/a2046db0-004d-44a1-88ea-f89bf3609283/importance_of_report_writing_in_an_organisation.pdf
  • https://uploads.strikinglycdn.com/files/b63483ad-adb4-4e12-89f1-03aaf51f0612/86604651261.pdf
  • https://uploads.strikinglycdn.com/files/86e50949-dc5a-450d-a924-22c1b597545e/paintball_supply_shop_near_me.pdf
  • https://uploads.strikinglycdn.com/files/ec9559ac-46f5-4f63-a9be-8fa2e2e6a4fd/how_to_get_serial_number_using_cmd_windows_10.pdf
  • https://uploads.strikinglycdn.com/files/edeccd07-fbf7-49a8-9f75-5a42f77ced83/56321826403.pdf
  • https://uploads.strikinglycdn.com/files/e58e868d-0db7-4b0e-abb6-c6e9356f382c/is_100_wpm_fast.pdf
  • https://uploads.strikinglycdn.com/files/36c1c3b4-2d4a-40c5-be90-a83ee90a8c21/free_printable_map_of_uk_towns_and_cities.pdf
  • http://voveras.pbworks.com/w/file/fetch/145117749/ninja_gaiden_dragon_sword_rom.pdf
  • http://luwosotatex.pbworks.com/w/file/fetch/144730122/harry_potter_and_the_prisoner_of_azkaban_pc_game_castle_secrets.pdf
  • http://binovilijire.pbworks.com/f/venum.pdf
  • https://uploads.strikinglycdn.com/files/dd52c26d-8428-4444-b1da-0eb7f82ad6f8/free_printable_colored_fraction_strips.pdf
  • http://sufizilofab.pbworks.com/f/4.pdf
  • http://subuzuj.pbworks.com/f/17711488607.pdf
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • https://uploads.strikinglycdn.com/files/e
  • http://scripts.sil.org/OFL

Open this report in the interactive analyzer, or submit your own file for analysis.