Malicious PDF — malware analysis report

Heuristics 5

• ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://www.webplease.it/wp-content/plugins/super-forms/uploads/php/files/v5rjuj19jm3tcukdeqpg6nq8m8/43673978326.pdf

  • https://portsidestrategies.com/wp-content/plugins/super-forms/uploads/php/files/632f2d8a466c6c45b1f65302ab583a97/wimadilavatemovovaka.pdf
  • https://healthcareadvisorsgroup.com/wp-content/plugins/super-forms/uploads/php/files/el752347o7kmho4p9mbs1df5t6/76117461749.pdf
  • https://www.napariverinn.com/wp-content/plugins/super-forms/uploads/php/files/876066f1ea248ddbc13ded0c47f51bf2/82936584385.pdf
  • https://www.cittadelmiele.it/wp-content/plugins/super-forms/uploads/php/files/f85fe987e2efb42449f9b83320694dd7/71976595053.pdf
  • http://www.birapart.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606d826355133---filopurigazazevarap.pdf
  • http://www.holzbau-hoelzl.at/wp-content/plugins/formcraft/file-upload/server/content/files/1607ea584312ca---9319761451.pdf
  • https://amatnieks.com/pictures/image/xiraselo.pdf
  • https://malimbe.africa/wp-content/plugins/super-forms/uploads/php/files/d1cb54e148105228ad5192db8b6b559f/95515487991.pdf
  • https://pluviaterra.mx/wp-content/plugins/super-forms/uploads/php/files/f27a413f8590f128f8beba3377a31221/devewatusi.pdf
  • https://impariant-club.ru/wp-content/plugins/super-forms/uploads/php/files/182125c3c9f27472b7201dc5d555b7ff/28055690556.pdf
  • http://digimaap.com/wp-content/plugins/super-forms/uploads/php/files/8d8bodv1n9kof8o5ofrr10e4r3/dubademozo.pdf
  • https://alfa-pechati.ru/wp-content/plugins/super-forms/uploads/php/files/8cdd40b1a78f005f933422679419b60e/47608848408.pdf
  • http://alibabashipping.com/userfiles/file/fizopi.pdf
  • https://autoschiller.de/wp-content/plugins/formcraft/file-upload/server/content/files/1608d1c2ae7db2---woboxa.pdf
  • https://militarynetwork.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1607de1a974e49---41987836800.pdf
  • https://pankalconstructora.com/wp-content/plugins/formcraft/file-upload/server/content/files/160870b289ba08---loramajetokelasedeme.pdf
  • https://feedproxy.google.com/~r/skout/mBVl/~3/ngfLrbzwjls/uplcv?utm_term=citra+emulator+android+cheats

Open this report in the interactive analyzer, or submit your own file for analysis.