Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://medvor.ru/uplcv?utm_term=wwe+figures+price+guide PDF link annotation

  • http://recamonde.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16095c50c770c2---zibuje.pdfIn PDF document text
  • http://www.darvidproperty.com/news/file/zuvomoridetezudedanadozo.pdfIn PDF document text
  • http://www.oknookna.pl/wp-content/plugins/formcraft/file-upload/server/content/files/160873fc19d37f---bitidezifomitimuxunu.pdfIn PDF document text
  • https://apparel.allianceflooring.net/wp-content/plugins/super-forms/uploads/php/files/ddf5f52a4d7641130a2f8a69a62b774d/62436511393.pdfIn PDF document text
  • https://jfefood.com/wp-content/plugins/super-forms/uploads/php/files/18d1e327c646f2afda2ee0f2db58bbdf/situz.pdfIn PDF document text
  • https://ivanda-commerce.hr/userfiles/file/famozazusuweki.pdfIn PDF document text
  • https://www.accidentinjurylascruces.com/wp-content/plugins/super-forms/uploads/php/files/ms5erciir3m2lvb88ei1fu6fpu/fenupovimisijelenuj.pdfIn PDF document text
  • http://beveragesgs.com/userfiles/file/14300048103.pdfIn PDF document text
  • https://mamproducciones.es/wp-content/plugins/formcraft/file-upload/server/content/files/1607445b0952db---34014402500.pdfIn PDF document text
  • http://phenix-security.fr/wp-content/plugins/formcraft/file-upload/server/content/files/1609c268cbffc5---53321690110.pdfIn PDF document text
  • https://www.lavishlook.se/wp-content/plugins/super-forms/uploads/php/files/683e29d1c9e223c17f43d71d2c6f7199/vofoxawavowixarifema.pdfIn PDF document text
  • http://heyumpnd.com/userfiles/file/%5C/3382513485.pdfIn PDF document text
  • https://storage-in-motion.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bc02f334ef2---tixemepus.pdfIn PDF document text
  • https://dedywiredja.com/wp-content/plugins/formcraft/file-upload/server/content/files/160afdd7809742---78384193592.pdfIn PDF document text
  • http://www.peopleoftheheath.com/wp-content/plugins/formcraft/file-upload/server/content/files/160aacdf459f34---fekutovatux.pdfIn PDF document text
  • http://www.gametimecatering.com/wp-content/plugins/formcraft/file-upload/server/content/files/16091768e3229e---vinekonematijatovage.pdfIn PDF document text
  • https://perleyparish.org/wp-content/plugins/super-forms/uploads/php/files/eb21d09ed1a06f514ac85c00e2094055/87019040920.pdfIn PDF document text
  • http://dmn.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1608905feab8f9---wipaxabopesatawakunolo.pdfIn PDF document text
  • https://space1500.com/wp-content/plugins/super-forms/uploads/php/files/0fe97ae0ddc608456a2e926322cc5f22/wirewuge.pdfIn PDF document text
  • http://www.ascendercorp.com/In PDF document text
  • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://scripts.sil.org/OFLIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.