Malicious PDF — malware analysis report

Heuristics 7

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• Callback phishing phone lure medium SE_CALLBACK_LURE
  Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://fullcolorspandoeken.nl/userfiles/file/55086419927.pdf

  • https://stpetejazz.com/wp-content/plugins/super-forms/uploads/php/files/gh26bu4aofpdbd9g4kafnoar74/6533091752.pdf
  • http://ipublicity.cz/data/file/64574423555.pdf
  • https://www.siemers-deutschmann.de/wp-content/plugins/super-forms/uploads/php/files/7chfmarpo04ecomqka5obrs7a7/63756584134.pdf
  • http://faizleathergloves.com/userfiles/files/jebaxos.pdf
  • http://www.microsinusectomi.com/wp-content/plugins/formcraft/file-upload/server/content/files/160847cefa8f71---mowagavoruvujo.pdf
  • https://extremetour74.ru/wp-content/plugins/super-forms/uploads/php/files/894b483c41939bf44564ec659d1e664a/timavexekebazedu.pdf
  • http://qtjdb.com/UploadFile/2021/07/03/file/20210703_112727_112.pdf
  • http://hsiwww.com/image/files/20210702_193649.pdf
  • https://tiguan-wiki.ru/file/50235245958.pdf
  • http://www.reroofingbrisbaneqld.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1608b683e0be50---sokaxodedibupebamovewij.pdf
  • https://tuabogadoangel.com/wp-content/plugins/super-forms/uploads/php/files/4b2119327406897e445427ad124ae250/gewadorukobew.pdf
  • https://celebicatering.com/upload/ckfinder/files/32609171781.pdf
  • https://amatnieks.com/pictures/image/daxewexotadobuwifofulomam.pdf
  • http://fortlauderdalelimorental.net/wp-content/plugins/formcraft/file-upload/server/content/files/160c4e26d1a8d1---famom.pdf
  • https://shayangroup.net/wp-content/plugins/super-forms/uploads/php/files/a8904c175fc38682b28300be225f685d/tizaviv.pdf
  • https://www.dynasil.com/wp-content/plugins/super-forms/uploads/php/files/9afbe390ce670c649a3a5ea3b0e14aa7/69059156738.pdf
  • https://staffxrecruitment.com/wp-content/plugins/super-forms/uploads/php/files/b555e7bae8202a7493c7d6e8281bd236/87353548845.pdf
  • http://bisenzia.it/userfiles/files/92436614237.pdf
  • https://yourtuscanyguide.com/wp-content/plugins/super-forms/uploads/php/files/h97fmd1866udu91k80kmcfsvc6/44186712585.pdf
  • https://www.colegiodesafio.net/home/wp-content/plugins/formcraft/file-upload/server/content/files/1606cc667e3eae---42575557015.pdf
  • http://weberstellen.ch/userfiles/file/83585981083.pdf
  • http://bilafafafa.com/shopadmin/upload/files/89789610212.pdf
  • http://rethabise.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/1607359108b1f7---2389583630.pdf
  • http://training-solutions.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160bb313c31a4e---xadimisaro.pdf
  • http://portalcom-b2b.es/img/user///file/_0446134001621898390.pdf
  • https://feedproxy.google.com/~r/skout/mBVl/~3/zMnd8XtcwSM/uplcv?utm_term=spa+operating+procedures+and+policies+manual
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://dejavu.sourceforge.net
  • http://dejavu.sourceforge.net/wiki/index.php/License

Open this report in the interactive analyzer, or submit your own file for analysis.