Malicious PDF — malware analysis report

Heuristics 7

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
  Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://mezovuduw.ru/strik?utm_term=how+to+pair+my+bose+speaker+to+my+computer PDF link annotation

  • https://static.s123-cdn-static.com/uploads/4410730/normal_5fdf1154db0a2.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4459176/normal_605216fa76cfe.pdfIn PDF document text
  • http://yourdesk.website/how_do_you_do_istikhara_duancu6b.pdfIn PDF document text
  • http://nat-fru.space/736897970032x54k.pdfIn PDF document text
  • http://epipog.com/how_to_write_slope_intercept_form_with_two_pointskiyfj.pdfIn PDF document text
  • https://static.s123-cdn-static.com/uploads/4470228/normal_5fe37c338d56e.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4485329/normal_602f6e98ba0e1.pdfIn PDF document text
  • http://www.ascendercorp.com/In PDF document text
  • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
  • https://uploads.strikinglycdn.com/files/987152cc-07de-458a-926b-616318f7a6fd/44821434883.pdfIn PDF document text
  • https://b2f02272-107b-4032-aafc-54cdd6265a16.filesusr.com/ugd/6cf392_6c1d8469fe2e48e6bdbd228a8a405d03.pdf?index=trueIn PDF document text
  • https://e50eee24-2d95-422d-8083-6f618d95927b.filesusr.com/ugd/594ae5_4df8586688954de4b2ca9adadd463565.pdf?index=trueIn PDF document text
  • https://58fabbca-0322-4868-a582-948aa19840f9.filesusr.com/ugd/93748c_0de86f2180b940f3b4975ac96ddc4cc5.pdf?index=trueIn PDF document text
  • https://ce83042b-5faf-46b5-bcbb-9b4d05ec7d33.filesusr.com/ugd/a31856_336f1cc3154f4e1a934ae3ed32ed4d62.pdf?index=trueIn PDF document text
  • https://1cf095b7-1d29-4152-b82c-7733cf7ba0c7.filesusr.com/ugd/c1de29_9d94198d5f434ef99db6fb723efcd3be.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/9e887def-26a3-4ddf-bbd3-35bb035d7237/sizodi.pdfIn PDF document text
  • https://1cd0d4d5-11d4-440c-a307-81f73801f601.filesusr.com/ugd/f0e51d_10b618b9cb504f4cbb96a17b81b86b9b.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/dff5da86-ea7d-45cc-9ff9-4e021cce45ef/leporukofavutuvomoxe.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/cd48b6c2-7f84-4a4c-96eb-e56d443c802e/91672627121.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/6e048315-7a78-4de1-a329-72be056b1e53/little_fires_everywhere_synopsis_episode_8.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/a6b6cc4c-4e84-4567-87be-4c83f5c02d76/lipipanilevafojefifu.pdfIn PDF document text
  • https://22520ec4-2132-45a5-98b8-54db1b71d3ea.filesusr.com/ugd/b33b96_26b5bcdbf6ca47a792553e33fd792aa6.pdf?index=trueIn PDF document text
  • https://de99934f-f465-4d69-af5e-14f317c0a7c6.filesusr.com/ugd/4fea5c_efaebebcc0a54567b9df13fb2e177061.pdf?index=trueIn PDF document text
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://scripts.sil.org/OFLIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.