Malicious PDF — malware analysis report

Heuristics 5

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://infrive.ru/uplcv?utm_term=canon+1300d+sdk

  • http://www.kzhep.in.ua/wp-content/plugins/super-forms/uploads/php/files/1hsl76affrt2md1qppumgrdkl3/69346292879.pdf
  • http://legendtec-eg.com/wp-content/plugins/super-forms/uploads/php/files/lh6su778cr3htcecnfvhkmm546/wituropela.pdf
  • https://aravlicraft.com/cmsCart//upload/file/47421793881.pdf
  • http://www.chinahkcarplate.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606d3cdb59747---72273473609.pdf
  • http://adamlegal.com/userfiles/file/botizivibezopod.pdf
  • https://www.rydalmereprestige.com.au/wp-content/plugins/super-forms/uploads/php/files/vs7ga5nbbv5rjl1ladkqt425es/55636669277.pdf
  • http://baanpowertrain.com/wp-content/plugins/formcraft/file-upload/server/content/files/16082c334b05bb---95806614172.pdf
  • http://asesoriagarpe.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607defbd1311c---davodorixaxuf.pdf
  • https://takeorders.online/wp-content/plugins/super-forms/uploads/php/files/1mhhrnekrgjmf3a8fm3r729pka/wemegetiton.pdf
  • https://greenturtleproductions.com.au/wp-content/plugins/super-forms/uploads/php/files/c6ebc885c82eb794dc8ce285fb37d79b/dupinubimebaves.pdf
  • https://boldvision.tv/wp-content/plugins/formcraft/file-upload/server/content/files/1608d7ee844b32---xoguvas.pdf
  • http://profisystem.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160843e7be7e28---29166438491.pdf
  • https://monarchwinemerchants.com/wp-content/plugins/super-forms/uploads/php/files/5622fef4b2e8ccfd1d8c4f08bcff2740/nefaluwanipokekomito.pdf
  • https://www.mclarenpress.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607b746c3f084---nisosukete.pdf
  • https://canadianrelocation.net/wp-content/plugins/formcraft/file-upload/server/content/files/1607fe82d242e0---konokosupa.pdf
  • https://www.northernillumination.com/wp-content/plugins/super-forms/uploads/php/files/6306629ca0f667f364268d21e8a193f7/64091706067.pdf
  • http://www.bestlifepolicy.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160759da720ca2---68561130671.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.