Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://beautyyaurient.com/editor_upload/file/juwapipubiserobebupadum.pdf In PDF document text

  • http://namthangbasaltstone.com/uploads/image/files/xonanaxebo.pdfIn PDF document text
  • http://www.colegiometa.net/home/wp-content/plugins/formcraft/file-upload/server/content/files/160837c88c88c5---waburusatidol.pdfIn PDF document text
  • http://dbjhockeytournament.com/clients/f/f9/f9ff496842c877cbb4522510b668f2a2/File/dipigilejetusuker.pdfIn PDF document text
  • http://bellezaeimagen.com.mx/wp-content/plugins/formcraft/file-upload/server/content/files/160bc121897c90---zazirisiwe.pdfIn PDF document text
  • https://petroblend.com/wp-content/plugins/formcraft/file-upload/server/content/files/16079f2761056e---xobup.pdfIn PDF document text
  • https://www.dishdivvy.com/wp-content/plugins/super-forms/uploads/php/files/8cdf7f07350d892b6423e1ce55ed902a/fumeramidinop.pdfIn PDF document text
  • https://alcc.vn/wp-content/plugins/super-forms/uploads/php/files/hq7n51r7vjfseenq1ttrlcf6i0/77837519745.pdfIn PDF document text
  • http://edwardlankin.com/clients/86087/File/86141786567.pdfIn PDF document text
  • https://al-farh-iq.com/upload/userfiles/file/kuwifobofajoxoxav.pdfIn PDF document text
  • https://barcelonacentremedic.cat/files/galeria/files/luwedoxufuse.pdfIn PDF document text
  • http://medicaldistri.com/ckfinder_files/files/toded.pdfIn PDF document text
  • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609190e3b6c7f---25262120491.pdfIn PDF document text
  • https://datxeninhbinh.com/data/dulieu/files/4502563192.pdfIn PDF document text
  • https://wamsconference.com/wp-content/plugins/super-forms/uploads/php/files/49b1e2aa2efdb123d8d40294223520ef/7936453687.pdfIn PDF document text
  • https://www.eoluk.com/wp-content/plugins/super-forms/uploads/php/files/h9ifjr338q91v3mgn54ufvogne/71956272925.pdfIn PDF document text
  • http://choinka4x4.org/cms/files/file/26248996867.pdfIn PDF document text
  • https://www.isgs.org/wp-content/plugins/super-forms/uploads/php/files/e3fcfc0ec3e54f2a54664e97427424f5/dumegivosukurususefo.pdfIn PDF document text
  • https://theshairpodcast.com/wp-content/plugins/super-forms/uploads/php/files/684a8ac3d609dc28bba4a825e0d164af/jijosud.pdfIn PDF document text
  • http://appartenvue.net/appart/upload/images/49647498582.pdfIn PDF document text
  • https://www.beachesbrewing.com/wp-content/plugins/super-forms/uploads/php/files/2f3938c7595ea2b26e35c2cdc4235527/5036463358.pdfIn PDF document text
  • https://www.straightmyteeth.eu/wp-content/plugins/super-forms/uploads/php/files/204d705d8f41fd4b9753ef1196738ccf/80401313851.pdfIn PDF document text
  • https://aartipalette.com/userfiles/file/98517259113.pdfIn PDF document text
  • http://www.majorisinvestimentos.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1607d31755647f---vizepar.pdfIn PDF document text
  • https://akarchlight.com/wp-content/plugins/super-forms/uploads/php/files/865b78f33ff856664459b004d3cc300b/10623899862.pdfIn PDF document text
  • http://baanpowertrain.com/wp-content/plugins/formcraft/file-upload/server/content/files/160857384c68a4---mupidagotowotiwoso.pdfIn PDF document text
  • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/cv9VXjIrmdE/uplcv?utm_term=traditional+easter+mealPDF link annotation
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://dejavu.sourceforge.netIn PDF document text
  • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.