Malicious PDF — malware analysis report

Heuristics 6

• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
  Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://dafemum.ru/wix?keyword=zelda+1+map+all+secrets

  • https://zilexewutefak.weebly.com/uploads/1/3/4/6/134608169/5105df30c40.pdf
  • http://punalavivex.22web.org/6619595861.pdf
  • https://zitidimesefe.weebly.com/uploads/1/3/1/6/131606065/8986214.pdf
  • https://kanapajuzusuma.weebly.com/uploads/1/3/4/5/134589940/zejekoduv_kabekala.pdf
  • https://cdn.sqhk.co/nowagenika/gjhihgd/duxarelatasukitewe.pdf
  • http://zezomaxijuduj.22web.org/que_es_la_adolescencia_segun_autores.pdf
  • https://cdn.sqhk.co/dedenijikal/IhdzNji/vokezarojasarojalijuzokep.pdf
  • https://repawuwo.weebly.com/uploads/1/3/5/3/135313919/pexamodij.pdf
  • http://www.ascendercorp.com/
  • http://www.ascendercorp.com/typedesigners.html
  • https://s3.amazonaws.com/lunojol/banaras_hindu_university_admit_card_2019.pdf
  • https://uploads.strikinglycdn.com/files/7b059f70-51ce-4d6d-b7a3-121ec860fd9c/vodixetusivosexepiluponi.pdf
  • https://uploads.strikinglycdn.com/files/59d85165-6422-4ca2-996b-3e5102271361/how_do_i_register_my_uniden_cordless_phone.pdf
  • https://s3.amazonaws.com/banula/grade_9_english_worksheets_south_africa.pdf
  • https://uploads.strikinglycdn.com/files/c76aaedc-e57e-4cd3-b439-3b985a30f7cd/kizezajoraxiwi.pdf
  • https://uploads.strikinglycdn.com/files/d1c3490d-062f-4e1c-8103-705a71676e9c/how_to_freeze_and_unfreeze_bread.pdf
  • https://uploads.strikinglycdn.com/files/71702ff3-befa-4f6b-aed3-844b1687768e/how_do_you_charge_a_fossil_hybrid_watch.pdf
  • https://uploads.strikinglycdn.com/files/d0034565-cb62-4852-b3f7-33135ed79418/how_much_is_deadpool_1_worth.pdf
  • https://uploads.strikinglycdn.com/files/d2b386cb-ed2b-467b-a2e4-1f3d785fbd64/2019_ford_explorer_sport_owners_manual.pdf
  • https://uploads.strikinglycdn.com/files/87f7d1b8-b137-4bc8-ba4e-9f2cacbf09f4/dish_network_upgrades_for_existing_customers_2020.pdf
  • https://s3.amazonaws.com/sinadi/8966451145.pdf
  • https://uploads.strikinglycdn.com/files/f5436cdf-0e97-43f8-b965-90a04acdcb44/48297919952.pdf
  • https://uploads.strikinglycdn.com/files/f295736d-b562-4012-aa54-21f12632b624/wefoxom.pdf
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://scripts.sil.org/OFL

Open this report in the interactive analyzer, or submit your own file for analysis.