Malicious PDF — malware analysis report

Heuristics 7

• ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• Embedded JS stream low PDF_JS
  PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://radio-salsa.com/php/rs/filesupload/file/mijowunonede.pdf In PDF document text

  • http://iacsglobal.iacsinfo.org/content/uploads/files/tidobijutajenizi.pdfIn PDF document text
  • https://bursaceviritercume.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608caf22b06fc---84431893145.pdfIn PDF document text
  • http://studioprogettoarchitettura.eu/userfiles/files/92684507029.pdfIn PDF document text
  • http://18554080.com/userfiles/file/88587936350.pdfIn PDF document text
  • http://www.movingintofreedom.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606ff64c4d58b---tefod.pdfIn PDF document text
  • http://www.x454.com/wp-content/plugins/super-forms/uploads/php/files/fn1tunssf4s13f1qvgq65dk244/18740642164.pdfIn PDF document text
  • http://worksafeorg.com/wp-content/plugins/super-forms/uploads/php/files/m22pvl24jlm03i4u3mao625r70/bosefawuxisaperadafosebi.pdfIn PDF document text
  • https://alihuata.com/userfiles/file/83278924955.pdfIn PDF document text
  • http://hungbuloon.com/media/ftp/file/77059064714.pdfIn PDF document text
  • http://www.portofmiamitunnel.com/system/js/back/ckfinder/userfiles/files/79508767886.pdfIn PDF document text
  • http://chixue.com/uploadfile/file/20210818190553.pdfIn PDF document text
  • http://sevenseahotel.com/uploads/images/files/99733945191.pdfIn PDF document text
  • http://hopkinshigh1966.com/clients/1/10/1054c114374c88b4a165e91103565d41/File/xafalurolanemusenuruzafa.pdfIn PDF document text
  • http://www.jimenez-casquet.com/wp-content/plugins/formcraft/file-upload/server/content/files/160941f0fb89fa---74906264139.pdfIn PDF document text
  • https://westcoastmovers.ca/wp-content/plugins/super-forms/uploads/php/files/aa7tjp3chvq0e002ijqviuh44c/detotovogabaketovaluso.pdfIn PDF document text
  • http://maivietnamesecotati.com/uploads/files/21494331949.pdfIn PDF document text
  • https://advancedbusiness.co/wp-content/plugins/super-forms/uploads/php/files/8c2ff1f87445057a05dc34ba5c796646/nebiwu.pdfIn PDF document text
  • http://ophtalmic-overnight.fr/wp-content/plugins/formcraft/file-upload/server/content/files/1607958b78e346---musibexurevi.pdfIn PDF document text
  • https://canvasations.com/wp-content/plugins/super-forms/uploads/php/files/2ei6i4qppu0da97pmcp360l671/donunemobega.pdfIn PDF document text
  • https://oteaexpert.fr/cite_imgs/file/lekulijubusivomotuta.pdfIn PDF document text
  • https://www.properties-thassos.com/wp-content/plugins/super-forms/uploads/php/files/9np0534neel4a6c9glv3iqp1kp/49364328907.pdfIn PDF document text
  • https://florerialafloresta.com/ckfinder/userfiles/files/45484486227.pdfIn PDF document text
  • https://0286869143.com/editor_images/files/77158771948.pdfIn PDF document text
  • https://impariant-club.ru/wp-content/plugins/super-forms/uploads/php/files/120c1365189795e631ba4421f7ea0464/vopuladarerinoxowudu.pdfIn PDF document text
  • http://happy-travel089.com/CKEdit/upload/files/rigupiwuna.pdfIn PDF document text
  • https://feedproxy.google.com/~r/skout/mBVl/~3/3CAf4wW3hvY/uplcv?utm_term=diary+of+a+wimpy+kid+wrecking+ball+online+book+freePDF link annotation
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://dejavu.sourceforge.netIn PDF document text
  • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.