Malicious PDF — malware analysis report

Heuristics 7

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• Embedded JS stream low PDF_JS
  PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://independentmusicleague.com/wp-content/plugins/super-forms/uploads/php/files/0f595c662a6881cb026ce886d245a7d7/99379635532.pdf In PDF document text

  • https://refour.eu/wp-content/plugins/super-forms/uploads/php/files/81ec74d489a4d313e6108a2a76bb7c36/83136219281.pdfIn PDF document text
  • http://land89.com/ckupload/files/fakututukomazopufisiger.pdfIn PDF document text
  • http://fullx.net/files/85337012673.pdfIn PDF document text
  • http://bajcsidavidfoto.com/_user/file/69713758064.pdfIn PDF document text
  • http://clear-es.net/yamituki-n/uploads/files/fisexolas.pdfIn PDF document text
  • https://cambodiadriverservice.com/userfiles/file/zugesuzusimavif.pdfIn PDF document text
  • https://suhrsmad.dk/wp-content/plugins/formcraft/file-upload/server/content/files/16106cd0cf1c11---43189430192.pdfIn PDF document text
  • http://apvn.info/userfiles/file/fubosapuvegojavopibazap.pdfIn PDF document text
  • http://wooshin.kr/uploaded/file/81602417260ccdb8e43a56.pdfIn PDF document text
  • http://www.verneteco.com/ckfinder/userfiles/files/gavininive.pdfIn PDF document text
  • https://shotclock.ca/wp-content/plugins/super-forms/uploads/php/files/74f0da8462532748a3bfb63dcfb5d9e7/vitimiriwotos.pdfIn PDF document text
  • http://adveotec.com/img/file/zepavi.pdfIn PDF document text
  • https://adbetelparaguay.com/wp-content/plugins/super-forms/uploads/php/files/0e7bcc563773f651bd4cdcc91251c0e7/56507143460.pdfIn PDF document text
  • https://i-chat.tw/js/ckfinder/userfiles/files/misetuwarug.pdfIn PDF document text
  • http://mediaworld.pro/ckfinder/userfiles/files/21426177068.pdfIn PDF document text
  • http://mtlebanon62.com/clients/5/5e/5ee551a8be14a26d7d76bc5e90dd1372/File/gunit.pdfIn PDF document text
  • https://bouveau-consulting.com/userfiles/file/zisabozakedegogabenomitew.pdfIn PDF document text
  • https://fanaf.comarticle_ressources/file/jikekidomiwi.pdfIn PDF document text
  • http://titusrelay.com/clients/e/ef/ef304ccc03541e9e6382bef5f13b0a7d/File/79007794314.pdfIn PDF document text
  • http://chichen.asia/ckfinder/userfiles/files/vixopobobes.pdfIn PDF document text
  • https://m-co.de/wp-content/plugins/super-forms/uploads/php/files/p2o8g2ojf99de5isphsq2ek92o/bamiwujuxavedixepomawazen.pdfIn PDF document text
  • http://www.franklinwebdesign.com/wp-content/plugins/formcraft/file-upload/server/content/files/16077a237897c0---23762018472.pdfIn PDF document text
  • http://erictex.com/ufiles/files/76471216337.pdfIn PDF document text
  • http://www.kissdocs.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160c89a8ac876d---34825618560.pdfIn PDF document text
  • https://rubyyadav.com/nbloom/fckuploads/file/85919782473.pdfIn PDF document text
  • https://mindweave.co.uk/wp-content/plugins/super-forms/uploads/php/files/sgbo064hq77797egs5fq3n752n/rusukidepokanu.pdfIn PDF document text
  • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/1xuhb7AK25c/uplcv?utm_term=retail+resume+samples+pdfPDF link annotation
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://dejavu.sourceforge.netIn PDF document text
  • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.