Malicious PDF — malware analysis report

Heuristics 7

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
  Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://lozipotod.ru/aws?utm_term=california+association+of+realtors+rental+agreement+addendum PDF link annotation

  • http://sitizinudex.getenjoyment.net/55172540117.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4402745/normal_5fe6e3bba55b1.pdfIn PDF document text
  • https://cdn.sqhk.co/jisanipu/hibqjeY/bopemobiwiwosepu.pdfIn PDF document text
  • https://cdn.sqhk.co/liripudeb/ihifge4/.pdfIn PDF document text
  • https://tolibalib.weebly.com/uploads/1/3/4/7/134714968/deluvel.pdfIn PDF document text
  • https://static.s123-cdn-static.com/uploads/4447465/normal_5fe0d02f40410.pdfIn PDF document text
  • http://zomolejefej.mywebcommunity.org/83162467853.pdfIn PDF document text
  • https://cdn.sqhk.co/vafegijateno/cTOjit6/ecru_white_color_hex_code.pdfIn PDF document text
  • http://tiwilofojifig.sportsontheweb.net/35531335927.pdfIn PDF document text
  • https://nukimaxirob.weebly.com/uploads/1/3/0/7/130776041/webux_wegisenavu_kaxem.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4406806/normal_5fd6232cc0798.pdfIn PDF document text
  • https://static.s123-cdn-static.com/uploads/4383687/normal_5fcf58a02971b.pdfIn PDF document text
  • http://fezufizibum.mypressonline.com/admiral_heavy_duty_super_capacity_washer_manual.pdfIn PDF document text
  • http://nopuvobetag.mygamesonline.org/how_to_remove_bosch_stacking_kit.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4369776/normal_60195832ecf64.pdfIn PDF document text
  • http://www.ascendercorp.com/In PDF document text
  • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
  • http://www.daltonmaag.com/In PDF document text
  • https://6ba8113a-99dc-4618-97bf-d7180f10ff72.filesusr.com/ugd/b6edda_9b747bac5da546b1abb394947426a50f.pdf?index=trueIn PDF document text
  • https://6e37e838-c278-4d46-baa9-25b8497af200.filesusr.com/ugd/fbcb80_31c078ac590948d8bef25397265e56fa.pdf?index=trueIn PDF document text
  • https://7722bba5-72ad-4d15-a72d-9ce9fbdcf1b5.filesusr.com/ugd/772ad5_2d943a9b7da74d4cbb0f2df4f74c776b.pdf?index=trueIn PDF document text
  • https://42190e62-4dca-482d-a077-ae7b222d7779.filesusr.com/ugd/b91392_bc7b38a5f8844d99871a881d6c0aa081.pdf?index=trueIn PDF document text
  • https://2a983b51-2e13-4971-8c1f-a5bca3ab4353.filesusr.com/ugd/e1a791_7ba582ef70f042d19fe2d177d56e3c88.pdf?index=trueIn PDF document text
  • https://aa6d2f86-95e2-42cc-897e-6bbd71c3a116.filesusr.com/ugd/78daac_f5fe2feecf4242aabb1b8ac8c6f5975b.pdf?index=trueIn PDF document text
  • https://441768bb-9839-4df4-8f78-dd1233b527f6.filesusr.com/ugd/7e6080_dc0a09ab264841a5bc8de44fa951cf90.pdf?index=trueIn PDF document text
  • https://d19688e0-347f-4d9d-8cb3-d47c6e049f3d.filesusr.com/ugd/c618e9_f3542f9325b5470ebd727bfaa443de21.pdf?index=trueIn PDF document text
  • https://cb2d4818-2134-4ea5-ae57-1bc45cfc4292.filesusr.com/ugd/7e787c_d33e7935e23a4500b237e475936b6711.pdf?index=trueIn PDF document text
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://scripts.sil.org/OFLIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.