Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://fokemale.ru/strik?utm_term=analects+of+confucius+book+1+analysis PDF link annotation

  • https://voxivunesiru.weebly.com/uploads/1/3/1/4/131407918/5f113.pdfIn PDF document text
  • https://jevuzukolusiwu.weebly.com/uploads/1/3/0/7/130739503/xafasi_nemoto_zisewadegeb_sokif.pdfIn PDF document text
  • https://static.s123-cdn-static.com/uploads/4415770/normal_5ff5cd6b54bdc.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4465691/normal_5fd15cae26f14.pdfIn PDF document text
  • http://zafikapasipugog.medianewsonline.com/niwotajenesadup.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4459188/normal_600bc8931af0c.pdfIn PDF document text
  • https://jomibijavajele.weebly.com/uploads/1/3/1/4/131409275/raxor_jozolatobeb_xiwosusaw_xatowa.pdfIn PDF document text
  • https://static.s123-cdn-static.com/uploads/4372101/normal_5fca9566dd434.pdfIn PDF document text
  • http://rupazaduxil.mywebcommunity.org/the_invisible_man_hg_wells_chapter_summary.pdfIn PDF document text
  • https://gomimujexewawid.weebly.com/uploads/1/3/1/0/131070583/261172.pdfIn PDF document text
  • http://bugiwuxad.medianewsonline.com/summa_theologica.pdfIn PDF document text
  • http://www.ascendercorp.com/In PDF document text
  • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
  • https://83f018a0-8e49-44f0-b57e-805e464a5f06.filesusr.com/ugd/10a4aa_a134cfec50d74226a41c5f09627a5154.pdf?index=trueIn PDF document text
  • https://a909b8fe-7c6e-4467-a5b6-92e64a2a5b5d.filesusr.com/ugd/65efca_cef24f2458c249eb8e031106579dc933.pdf?index=trueIn PDF document text
  • https://06b91503-bda4-4bbd-a69c-520552d4e402.filesusr.com/ugd/07c5d0_3f457139c24b439f9f71ff5a5245a4e1.pdf?index=trueIn PDF document text
  • https://a49aa754-465e-4bbd-924e-b3d0e7b66bd4.filesusr.com/ugd/81d6a4_d7f5c06436e348af8921fd79c0b589c4.pdf?index=trueIn PDF document text
  • https://5637a596-61ce-4e67-8953-8fd9cb84b940.filesusr.com/ugd/c20ea7_8cf1b2dfaaf940e09429fe1e605e4a33.pdf?index=trueIn PDF document text
  • https://679cd94f-bb1f-411a-9684-d99498fe93d6.filesusr.com/ugd/ce16d4_7491240a4bb74dbab77ca3fe103c220e.pdf?index=trueIn PDF document text
  • https://a72b158e-cead-41d6-a0b3-8518216316a4.filesusr.com/ugd/35c6e2_e96f4912eeb945e09f40cbcc28553c0d.pdf?index=trueIn PDF document text
  • https://9cfe8934-cc69-4f76-a0d0-2e9849ea4530.filesusr.com/ugd/fd9558_86dae223f9314190bfdff0c8c00cc64c.pdf?index=trueIn PDF document text
  • https://67258aaf-84c5-4a88-bfd2-1aa7ddb6c27a.filesusr.com/ugd/850f07_1ff24dc2fc0f45e0917462700c094eb5.pdf?index=trueIn PDF document text
  • https://f50ece36-1901-4a7b-9396-968a400df7f4.filesusr.com/ugd/3ecb95_7069b5b74a1a4a0b89b5c0c19e3d45ad.pdf?index=trueIn PDF document text
  • https://790985df-dfec-4a08-b509-00f37668cf87.filesusr.com/ugd/a421e3_9e0c14f43bd642de8d907a7e40a2814f.pdf?index=trueIn PDF document text
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://scripts.sil.org/OFLIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.