Malicious PDF — malware analysis report

Heuristics 7

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
  Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://chukysovin.com/img-svc/files/motatafefonexafixagunomur.pdf

  • http://www.companyforte.com/imagenes/editor/file/16669642968.pdf
  • http://iwish-cosmetics.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a718053f7e7---ganamobobe.pdf
  • http://pavcargo.ru/wp-content/plugins/super-forms/uploads/php/files/97f5ab70858a801d9d64a09c64862390/35704995034.pdf
  • http://www.colegiometa.net/home/wp-content/plugins/formcraft/file-upload/server/content/files/160d6bb17ea6b5---vugobajive.pdf
  • http://ashioke.com/images/library/File/15475601297.pdf
  • http://chi-kara.net/userfiles/file/79418190177.pdf
  • http://zhodnoceni-penez.cz/is/images/FCKeditor/File/64049640180.pdf
  • https://aawyx.com/sites/default/imageuser/file/98193038747.pdf
  • https://www.gml.de/wp-content/plugins/formcraft/file-upload/server/content/files/160b13040cd223---neziseda.pdf
  • http://uniondeautoescuelas.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606f41a18c22d---41380416044.pdf
  • https://alenakovalchuk.ru/wp-content/plugins/super-forms/uploads/php/files/41d8e2baa670ecd40c91e39ef9a904b4/puzaxekenimurikemifa.pdf
  • http://yossy.biz/userfiles/file/gelejut.pdf
  • https://pfgmm.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/16070349560edf---sekakugubotiwujutisopofez.pdf
  • https://lsp.od.ua/wp-content/plugins/super-forms/uploads/php/files/1b0ocplec46jkoamps2en8ju87/jugavugurixuzotilivotuwuk.pdf
  • https://mavismanagement.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c6ee963ce7f---mojubivol.pdf
  • https://amalighting.com/wp-content/plugins/super-forms/uploads/php/files/2c530fcbce9dee9ff49ec065083e351a/xenedenoboxafebozin.pdf
  • http://www.yourhealthyourchoice.org/wp-content/plugins/formcraft/file-upload/server/content/files/160a1b0ef50975---81311232926.pdf
  • http://krindustria.com.br/site/wp-content/plugins/formcraft/file-upload/server/content/files/160b23dafd649d---pafuvebun.pdf
  • http://detaycopymatbaa.com/userfiles/file/72346311277.pdf
  • https://ewms.vn/wp-content/plugins/super-forms/uploads/php/files/c4sua0mc9g9naupm8fnodvts65/gowunuzenez.pdf
  • https://lanjutpt1.com/contents//files/muvatux.pdf
  • https://imagebeaute.fr/userfiles/file/dujubu.pdf
  • https://bistro-8.com/wp-content/plugins/super-forms/uploads/php/files/b511f8a6575ffc304e545d72c8925392/fisesomukedo.pdf
  • http://richiefamilyreunion.com/clients/7/7d/7d03816b951c94fc7c065ced7c7ccdcd/File/95980633962.pdf
  • https://feedproxy.google.com/~r/Uplcv/~3/3CAf4wW3hvY/uplcv?utm_term=recombinant+dna+and+cloning
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://dejavu.sourceforge.net
  • http://dejavu.sourceforge.net/wiki/index.php/License

Open this report in the interactive analyzer, or submit your own file for analysis.