Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• Embedded JS stream low PDF_JS
  PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://prime42.ru/userfiles/files/12966970371.pdf

  • https://aodaixuan.vn/app/webroot/upload/image/files/34533318343.pdf
  • http://2016.letnifestiwal.pl/ckfinder/userfiles/files/kosanedurajupababoz.pdf
  • https://concurs-euclid.ro/upload/fck/zadaw.pdf
  • http://cbgnfinance.com/userfiles/file/xomubeluginaxixelisar.pdf
  • http://arebiatours.com/uploads/files/zobetedazejuxozipenizaf.pdf
  • http://cpghollywood.com/userfiles/files/penexizuzodotow.pdf
  • http://southerncross-ex.com/images/blog/file/suferosifipavitazugi.pdf
  • http://gusanhightec.com/userData/board/file/57493776926.pdf
  • https://ikorti-iao.com/userfiles/files/19603916224.pdf
  • http://bsp-oblspl.org/ckfinder/userfiles/files/gumixilogubefibajuzewexos.pdf
  • http://cadelupo.it/userfiles/files/boten.pdf
  • http://cisseo.net/userfiles/files/rupem.pdf
  • https://o-dance.com/upload/files/23299508332.pdf
  • http://4darchitecture.org/img/all/vomadefujolenugabafug.pdf
  • http://abogarestudio.com/userfiles/file/61188180705.pdf
  • https://lecormier-menuiserie.com/www/upload/files/poxagos.pdf
  • http://bjjiffy.com/upload/29827781867.pdf
  • https://oazapiekna.com/zdjecia/fck/file/976501902.pdf
  • https://keiba-like.biz/js/ckfinder/userfiles/files/sutovexijerilafa.pdf
  • http://fantalife.nl/userfiles/file/pimeb.pdf
  • https://asiantms.com/ckfinder/userfiles/files/6970551791.pdf
  • http://nhakhoasaigonkimcuong.com/uploads/images/files/76980551388.pdf
  • https://tutorlookup.com/ckeditor/ckfinder/userfiles/files/79686888144.pdf
  • http://vet-arrighicolangelicristilli.eu/userfiles/files/pegikaweledezo.pdf
  • http://theurbanbazzaar.com/userfiles/file/45603561042.pdf
  • http://aleeblog.com/wp-content/plugins/super-forms/uploads/php/files/7unijfsbd1vmckvcbhpknisu64/wesuvowafovumenafezovim.pdf
  • https://feedproxy.google.com/~r/Uplcv/~3/BkSY9tpko7c/uplcv?utm_term=gta+san+andreas+supply+lines+fuel+cheat
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://dejavu.sourceforge.net
  • http://dejavu.sourceforge.net/wiki/index.php/License

Open this report in the interactive analyzer, or submit your own file for analysis.