Malicious PDF — malware analysis report

Heuristics 7

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
  Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://www.next-conseil.fr/wp-content/plugins/formcraft/file-upload/server/content/files/1609fc0acf0f9e---zujolu.pdf

  • https://wpsqld.com.au/wp-content/plugins/super-forms/uploads/php/files/fc4a2b45b132523b9f727c4ef71fd069/20190106335.pdf
  • http://aarogyamedico.com/userfiles/file/wifusorowix.pdf
  • http://www.medicalalliedtraining.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609e5a6c561da---sezomikidanetatevimem.pdf
  • https://www.havanasalsa-dance-tours.com/wp-content/plugins/super-forms/uploads/php/files/f7b2439ff86ae9c288aea9db405d132c/suxadalikadubofuvon.pdf
  • http://traditionsradio.com/wp-content/plugins/super-forms/uploads/php/files/uit38k8jbou8mptlkl57esvqc5/79567212857.pdf
  • http://plenar.hr/wp-content/plugins/formcraft/file-upload/server/content/files/160c1c053a528d---duzovusasujizexudopexakek.pdf
  • https://dubaimotorcycletours.com/uploaded_images/files/bukilumedozaweruve.pdf
  • http://westmoorclassof1965.com/clients/5/52/52ec68f2b927accf75267cb07bfcc891/File/vevuzasaj.pdf
  • https://outsourcedbackoffice.co.uk/wp-content/plugins/super-forms/uploads/php/files/4420ec7642f6c595c420418aac61c2cf/18399228098.pdf
  • https://mosoptagro.ru/wp-content/plugins/super-forms/uploads/php/files/fb47a6f8e96ff3b4c2eb3d6c5fb19712/sokiravavavedumopajil.pdf
  • http://lushexperiences.com/wp-content/plugins/formcraft/file-upload/server/content/files/160842f1d8c8a6---53389715214.pdf
  • http://dossalas.com/wp-content/plugins/super-forms/uploads/php/files/eeb638a6ad22192ba73d9bfd54e3b353/jaxukexopuxesuwitenubag.pdf
  • http://anhuishangbiao.com/upload_fck/file/2021-6-20/20210620220459203108.pdf
  • https://lcd96.ru/wp-content/plugins/super-forms/uploads/php/files/da11d7632eb0a2d506fe1465ed6291b0/97402303325.pdf
  • https://www.scanworld.se/wp-content/plugins/formcraft/file-upload/server/content/files/160771139b86dd---8300007092.pdf
  • http://www.musicmaestrodiscos.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160a6d3a1b75c1---supegipasaganimewiraregi.pdf
  • http://ahxxzx.com/userfiles/202104/file/losajaxikafowi.pdf
  • http://www.franklinwebdesign.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607ee69d477c4---bakosuzavezoguzipateved.pdf
  • http://vencedor.coop/images/admin/file/gapafumiratejugidel.pdf
  • https://www.criteriainvest.com.br/wp-content/plugins/super-forms/uploads/php/files/0lt8uoobv0991eul1e61fm1d7i/jabumewuwe.pdf
  • http://roycraft.ca/userfiles/file/suzowajejun.pdf
  • https://www.msolartop.cz/wp-content/plugins/formcraft/file-upload/server/content/files/160bb16a5f07fd---vokaresiz.pdf
  • https://feedproxy.google.com/~r/skout/mBVl/~3/ngfLrbzwjls/uplcv?utm_term=is+875+part+3
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://dejavu.sourceforge.net
  • http://dejavu.sourceforge.net/wiki/index.php/License

Open this report in the interactive analyzer, or submit your own file for analysis.