Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://laborke.ru/uplcv?utm_term=ragdoll+cat+grey+and+white PDF link annotation

  • http://gostium.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607c1bc2dfca7---zugegumegukudotid.pdfIn PDF document text
  • http://traditionsradio.com/wp-content/plugins/super-forms/uploads/php/files/qe4d1rktannbac0gqneppfenk7/40740768147.pdfIn PDF document text
  • https://amagi.la/wp-content/plugins/formcraft/file-upload/server/content/files/160a52ace93007---lifuxu.pdfIn PDF document text
  • https://kayakbranson.com/wp-content/plugins/formcraft/file-upload/server/content/files/16076be0735771---52231602234.pdfIn PDF document text
  • http://aksaaydinlatma.com/img/editor/image/file/witiramixosebaleg.pdfIn PDF document text
  • https://moma-restaurant.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609229922ad7e---52611496233.pdfIn PDF document text
  • http://webinaris.biz/ckfinder/userfiles/publics/files/54514914708.pdfIn PDF document text
  • https://thesaddlebank.com/wp-content/plugins/super-forms/uploads/php/files/t1e1mppq21fs8bt3ihrct3oh0s/74349020679.pdfIn PDF document text
  • http://paulbwatkinslaw.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/bebuvewugotopanadukoxe.pdfIn PDF document text
  • https://www.tangelo.no/wp-content/plugins/formcraft/file-upload/server/content/files/16080378e8e41a---vupobu.pdfIn PDF document text
  • https://oiweld.com/wp-content/plugins/super-forms/uploads/php/files/fd493d4b965cfc8d668c3f61851ae91c/sobigutafu.pdfIn PDF document text
  • https://gtsonline.nl/wp-content/plugins/super-forms/uploads/php/files/niiunnsfsn38q5m1svdhshoa1m/85300552672.pdfIn PDF document text
  • https://asiatravel.kg/wp-content/plugins/super-forms/uploads/php/files/8f411826144aa6a3430b15c936b6b5d5/90598590976.pdfIn PDF document text
  • http://mgmkt.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160b63a788d33f---59327904540.pdfIn PDF document text
  • http://amwordpress.org/wp-content/plugins/formcraft/file-upload/server/content/files/16079375ddc8c1---bisosove.pdfIn PDF document text
  • https://susta.vn/userfiles/file/jolezogupobuwulosomodex.pdfIn PDF document text
  • http://nw-line.ru/generic/uploaded/defilexutalere.pdfIn PDF document text
  • https://wills.sg/wp-content/plugins/super-forms/uploads/php/files/b57210db50c095645730ce0b7784fa8c/41962147674.pdfIn PDF document text
  • https://primewestelectrical.com/wp-content/plugins/super-forms/uploads/php/files/fdeafa8ed4fc472f0bd6deeb3fa54450/64250513681.pdfIn PDF document text
  • https://snabavto.com/wp-content/plugins/formcraft/file-upload/server/content/files/160984328779b9---94213077391.pdfIn PDF document text
  • http://aksaaydinlatma.com/img/editor/image/file/67080170865.pdfIn PDF document text
  • https://smilepath.com.au/wp-content/plugins/super-forms/uploads/php/files/d416c48cca9b5fd0051ba11d659ab78d/danepujulumikamaririxafi.pdfIn PDF document text
  • https://doellefjelde-mussemarked.dk/images/newsmail/file/bazoguxu.pdfIn PDF document text
  • http://www.stockholmswingallstars.com/wp-content/plugins/formcraft/file-upload/server/content/files/160799625d64a6---56375286290.pdfIn PDF document text
  • https://mebelihome.ru/upload_picture/30825829751.pdfIn PDF document text
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://dejavu.sourceforge.netIn PDF document text
  • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.