Malicious PDF — malware analysis report

Heuristics 7

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• Embedded JS stream low PDF_JS
  PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://inwebjor.ru/uplcv?utm_term=bagel+bites+tray+cooking+instructions PDF link annotation

  • http://www.apsetedavisi.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606d129feaaf3---60879337189.pdfIn PDF document text
  • http://akinmedikal.com/uploads/file/42823815456.pdfIn PDF document text
  • http://planet-for-events.de/userfiles/file/vuvilazu.pdfIn PDF document text
  • https://cuacuonbentre.com/upload/files/54574487408.pdfIn PDF document text
  • http://hasdeu.md/data/userfiles/files/43857870183.pdfIn PDF document text
  • http://raiders71.com/clients/4/41/4134020f2f298c111575624a380fabfc/File/jekuk.pdfIn PDF document text
  • http://raduzhniy.com/wp-content/plugins/formcraft/file-upload/server/content/files/16094854d3c995---kogapemabusivitaxobip.pdfIn PDF document text
  • https://gencshoworganizasyon.com/upload/ckfinder/files/miniruriwufitoliferajeke.pdfIn PDF document text
  • http://skyrun-arser.com/js/fckeditor/editor/filemanager/connectors/php/connector.php/upfiles/file/210626124012758162kpp28p.pdfIn PDF document text
  • http://project-lovcen.me/userfiles/file/vikinajirup.pdfIn PDF document text
  • https://drmiamiconnect.com/wp-content/plugins/super-forms/uploads/php/files/cd40ddc18e1bc6889673ce480ac9a7ed/20705249613.pdfIn PDF document text
  • http://www.advancedevents.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160f744276d10d---ribavinere.pdfIn PDF document text
  • http://www.sunarpazarlama.com/wp-content/plugins/super-forms/uploads/php/files/c6nevhbv5n4mtr7giqbhp8mr57/66767085945.pdfIn PDF document text
  • http://gangwonbnb.com/FileData/ckfinder/files/20210818_35FF998DBD00FF06.pdfIn PDF document text
  • http://cityhighclassof77.com/clients/9/9e/9ea685038b5a197d2022a69b8c6b162a/File/laxiwojukidelu.pdfIn PDF document text
  • https://binarbaid.com/public_html/userfiles/file/mefirojubodov.pdfIn PDF document text
  • https://ceccarbotosani.ro/userfiles/file/18378102013.pdfIn PDF document text
  • https://mimpishiodua.com/contents/files/biboraxuma.pdfIn PDF document text
  • http://2990592.ru/ckfinder/userfiles/files/liruwoku.pdfIn PDF document text
  • https://higher-reason.com/wp-content/plugins/super-forms/uploads/php/files/91gdi5h1d7krp47rl10dao0767/jumenonuw.pdfIn PDF document text
  • https://www.lang-mayer.de/wp-content/plugins/formcraft/file-upload/server/content/files/16096854423c86---pokukawebadavofisugimafon.pdfIn PDF document text
  • http://lokalizacja-gps.pl/userfiles/file/vusubafe.pdfIn PDF document text
  • http://thestarbusan.com/FileData/ckfinder/files/20210714_70F39A3D9A02180C.pdfIn PDF document text
  • http://nwatchonline.net/userfiles/file/35975907748.pdfIn PDF document text
  • http://www.caribbeandentist.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a0379b66fd3---rugexiwugebadijar.pdfIn PDF document text
  • https://christembassybarking.org/wp-content/plugins/super-forms/uploads/php/files/e9dc4d99861eca2470d50ac652eea063/22823100841.pdfIn PDF document text
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://dejavu.sourceforge.netIn PDF document text
  • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.