Malicious PDF — malware analysis report

Heuristics 5

• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://gimoguvi.ru/wix?keyword=bienvenidos+a+la+clase+de+espa%25C3%25B1ol+en+ingles

  • https://cdn-cms.f-static.net/uploads/4470221/normal_5fea21f49e175.pdf
  • https://cdn-cms.f-static.net/uploads/4421040/normal_60229a359c060.pdf
  • https://static.s123-cdn-static.com/uploads/4421477/normal_5ffda8834ded7.pdf
  • http://xtrading.buzz/what_are_the_three_symbiotic_relationshipsudwbg.pdf
  • https://static.s123-cdn-static.com/uploads/4463010/normal_5fe1f84c96dfc.pdf
  • https://static.s123-cdn-static.com/uploads/4402517/normal_5fe06b9232b34.pdf
  • https://cdn-cms.f-static.net/uploads/4488316/normal_601eca94ccd90.pdf
  • https://cdn-cms.f-static.net/uploads/4484820/normal_5fe7577ae3d9f.pdf
  • https://cdn-cms.f-static.net/uploads/4423780/normal_6020aace0b121.pdf
  • https://static.s123-cdn-static.com/uploads/4366623/normal_5fc66ef135c89.pdf
  • http://itfamily.pro/64613844737xp8hn.pdf
  • http://www.ascendercorp.com/
  • http://www.ascendercorp.com/typedesigners.html
  • https://d920bd67-dfaf-4c99-85b0-fcb8118dfb91.filesusr.com/ugd/383849_0a3eee7adae24587bf7dc31f38b7a263.pdf?index=true
  • https://be08d7d4-326a-4801-be9d-4496af17a43b.filesusr.com/ugd/d31907_eb7edd9b23d049ec970901bc97ba2860.pdf?index=true
  • https://c2dbac7f-2075-4dc1-ad03-af0d0352bff2.filesusr.com/ugd/278743_5a4a1a7422af4d37a2fb4fb570ba54d8.pdf?index=true
  • https://22e365c6-0853-42e1-82f8-83473bf9c0bf.filesusr.com/ugd/217d68_b410864d6330499d972f21cbfde6ff8e.pdf?index=true
  • https://c145ee04-3c3b-4786-8b94-e0511401b322.filesusr.com/ugd/de65f7_4d90a674da874229a9fc507ef2c6ab29.pdf?index=true
  • https://d4e73f68-9870-4c81-be0c-0a6dd7607cd2.filesusr.com/ugd/6f53d7_4325774d15814a4f9a75e4297520f7e1.pdf?index=true
  • https://s3.amazonaws.com/vudivuzakal/betterley_report_cyber.pdf
  • https://1eba3b37-3dce-45e8-aa15-e51a58efc0fe.filesusr.com/ugd/89e37c_7b38280ba054405ba9cc3c5779bda842.pdf?index=true
  • https://s3.amazonaws.com/begijufadi/full_block_letter_format_spacing.pdf
  • https://39c1d623-eccb-4af0-a86a-15328a2d61f9.filesusr.com/ugd/3cb6cb_903eda26e16c4e6d9b04c1d1e04466e8.pdf?index=true
  • https://5902ff30-e651-486c-ac37-3e8383bfa78f.filesusr.com/ugd/f35da0_9363648ba3f34f63949f59b2028336d7.pdf?index=true
  • https://s3.amazonaws.com/gixawetopoli/amplified_bible_app.pdf
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://scripts.sil.org/OFL

Open this report in the interactive analyzer, or submit your own file for analysis.