Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://noble-worldwide.com/wp-content/plugins/super-forms/uploads/php/files/7659f0013fcbcc8ef02a052e5aac5848/14425965187.pdf

  • https://bindazzled.com.au/wp-content/plugins/super-forms/uploads/php/files/32837d9f6e462f4c4432fcbdfde71c92/kafub.pdf
  • http://myappartement.de/web/editor/files/45043582323.pdf
  • http://suportti.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607aa6b0cd99d---javujerasexovulofap.pdf
  • https://cr2tek.com/userfiles/Proj_Name//files/zuluxowadafamijoka.pdf
  • https://moma-restaurant.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609c33bf341e8---39229941615.pdf
  • http://exhibitionchannel.com/upload/53032181608.pdf
  • https://autoparkalbanese.it/file/wavipotubuzukatobefo.pdf
  • http://videofilm-tv.ru/content/File/mugagaporaliwo.pdf
  • http://www.marsagri.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bfda19a6cea---81462269190.pdf
  • http://nnk.gr/wp-content/plugins/formcraft/file-upload/server/content/files/1608d0f30e8627---2364817802.pdf
  • https://www.mercato.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/160c569862be45---72990985532.pdf
  • http://ngpsusa.com/wp-content/plugins/super-forms/uploads/php/files/v2p5d4rai0mueruc75a5ulbumd/36898428085.pdf
  • http://utopiasacramento.org/clients/0/07/071cdeedc048305be324eb10ab8031d4/File/wirib.pdf
  • http://meruzhankhachatryan.com/app/webroot/files/file/8476913893.pdf
  • https://tahubunting1.com/contents//files/29927457894.pdf
  • https://www.frankcapassoandsons.com/wp-content/plugins/formcraft/file-upload/server/content/files/16091fd519f099---jetorerapajinexadagetat.pdf
  • https://micast.de/wp-content/plugins/super-forms/uploads/php/files/oiut6cpenob7qj5cqbj9p0pv1j/56860897578.pdf
  • https://monuments-msk.ru/wp-content/plugins/super-forms/uploads/php/files/f219893f1e8a21f2a9fc579402b33ca8/20890999068.pdf
  • https://lastcallslc.com/wp-content/plugins/super-forms/uploads/php/files/2fc26a573a400b24d591199a2ff18276/95666672673.pdf
  • https://bbensonmft.com/wp-content/plugins/super-forms/uploads/php/files/04a3ab05c95d59bc8d8fc2a9a9bd4352/40178399832.pdf
  • https://allmassage.net/upload/file/20210522203200.pdf
  • https://www.hungryalex.com/wp-content/plugins/super-forms/uploads/php/files/8gc427nqd5550dkl0islnbmdh8/puwizuxexedaxugel.pdf
  • http://greenlivinggarden.com/htdocs/UserFiles/file/72887688275.pdf
  • http://fitsiluet.cz/data/file/60064571172.pdf
  • http://hellnocancershow.com/wp-content/plugins/formcraft/file-upload/server/content/files/16071dd2c210ab---1110416268.pdf
  • http://ne-moloko.ee/wp-content/plugins/super-forms/uploads/php/files/2825245f1911810bc52b23932cf71e0d/gibovigakofif.pdf
  • https://feedproxy.google.com/~r/Uplcv/~3/PmAiG5ZyT-k/uplcv?utm_term=all+garage+finds+in+forza+horizon+4
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://dejavu.sourceforge.net
  • http://dejavu.sourceforge.net/wiki/index.php/License

Open this report in the interactive analyzer, or submit your own file for analysis.