Malicious PDF — malware analysis report

Heuristics 5

• ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://coretry.ru/uplcv?utm_term=hello+kitty+games+apk

  • http://www.adanakursmerkezi.com/wp-content/plugins/formcraft/file-upload/server/content/files/16142ce1f4ec6f---kopaxevevevetufutoluv.pdf
  • http://espaciocultivarte.com/ckfinder/userfiles/files/wokepifurukofezoladegufaf.pdf
  • http://ttmplus.com/userfiles/files/penaju.pdf
  • http://kastely-vacduka.hu/fileok/file/kipemuwakurumalu.pdf
  • https://madeirashopping.com/userfiles/file/gebatipa.pdf
  • http://cheumst.com/upload/fckeditor/file/70282697992.pdf
  • http://jamxmpharmatech.com/upload/files/31139736955.pdf
  • https://ukmriptek.org/codeIgniter-hmvc/userfiles/files/77986163561.pdf
  • http://squarcialupirelaxinchianti.com/writable/public/userfiles/file/29072113411.pdf
  • http://bordahusfeldolgozo.hu/editor_up/lupanududimuvasu.pdf
  • http://recuva.kr/upload/fck_img/1631286364/file/79214318850.pdf
  • http://sinara.org.br/wp-content/plugins/formcraft/file-upload/server/content/files/1613c18b08e9ff---59721215520.pdf
  • https://givemeit.ru/wp-content/plugins/super-forms/uploads/php/files/09992999cde37fa621d99eb80ce8e8c2/10929972190.pdf
  • https://kisikana.hr/UserFiles/files/25304646872.pdf
  • http://thewesternmist.com/userfiles/file/gexegamipizuwilinibumito.pdf
  • http://snft.ro/media/file/riwasekuluselesavorix.pdf
  • http://densayhongngoai.com/uploads/userfiles/file/sudixegevujofefuwerebu.pdf
  • https://fiberglasssupplydepot.com/userfiles/file/lusitavebanoponanuvabog.pdf
  • https://vanchuyenduongsat.vn/upload/files/bodivokovonedivupudafuw.pdf
  • http://onelove.cz/file/fuzivo.pdf
  • https://smartbrand.ro/mm/file/tumavitaruxilonug.pdf
  • https://gberwanda.com/gbe/useruploads/blogs/files/51174110787.pdf
  • https://alcc.vn/wp-content/plugins/super-forms/uploads/php/files/dbblnsovvjumtq1k1nv1ntdv7k/modovugevalekavoramatugo.pdf
  • http://xn--80aaaghhaztbcd1agjgbccsgfftf.xn--p1ai/pict/file/zuxivofuwopizu.pdf
  • https://www.gpaci.org.br/cms/ckfinder/userfiles/files/62962365330.pdf
  • http://dejavu.sourceforge.net
  • http://dejavu.sourceforge.net/wiki/index.php/License

Open this report in the interactive analyzer, or submit your own file for analysis.