Malicious PDF — malware analysis report

Heuristics 5

• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://qamarapps.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b4c56fd2353---54861340672.pdf

  • https://alfa-pechati.ru/wp-content/plugins/super-forms/uploads/php/files/fb46eaa1bc7cfaad1919d24982a7f3cd/zawosadulenaniwa.pdf
  • https://admonks.ru/wp-content/plugins/super-forms/uploads/php/files/43c2499d1a3b6a4b47f532cb763e250c/45205572698.pdf
  • https://giverny-bkk.com/upload/files/jipuzanekolevofukore.pdf
  • https://evocative.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160c8619c3715a---79942370731.pdf
  • http://work4shop.cz/userfiles/file/gisadilafifupa.pdf
  • https://101doctor.com/uploads/ckfiles/files/60b096ce579f0.pdf
  • http://hosungtour.com/FileData/ckfinder/files/20210610_0D5A02F3119F39E8.pdf
  • http://gennarimaq.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16097a19e72dba---danumolodaxuwuzedejutu.pdf
  • https://xn--64-mlcufjjaii0l.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/a82e8cdc2209db98e5f629ed64eb6bef/sidugumigojibefumiw.pdf
  • http://lilit-realty.com/wp-content/plugins/super-forms/uploads/php/files/n5r7e7brk9aunf8ejqmtjt2hn3/zasamevidokulivoxasegub.pdf
  • http://hellnocancershow.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bdaab0ac05c---65217967564.pdf
  • https://drahmetbostanci.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609451ec3a60b---pebidekixesemafuzizixa.pdf
  • http://gennarimaq.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160ba47ce67acb---42262581400.pdf
  • http://for-rent-antwerp.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c58e1c1fe5e---bipobazedurox.pdf
  • http://iideree.org/wp-content/plugins/formcraft/file-upload/server/content/files/160c8824692214---8354195294.pdf
  • http://drinkandshrink.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160b3c7c3690ef---85633750474.pdf
  • http://timebank.ru/sites/default/files/photos/pagefile/logozovap.pdf
  • https://www.peeryhotel.com/wp-content/plugins/super-forms/uploads/php/files/27fb4b7e7e1b32f245d52a55047c3f2c/31506779008.pdf
  • https://agrotehholding.ru/wp-content/plugins/super-forms/uploads/php/files/39779135bfc48218c39e48ea8ead06d0/43677300865.pdf
  • http://vudafrique.com/wp-content/plugins/super-forms/uploads/php/files/120f136ae8c1736f2fd46be5a0c071af/dazikodojexasigidoxez.pdf
  • https://kassa-evotor.ru/wp-content/plugins/super-forms/uploads/php/files/91e24624elu6anufk2upsg8f7j/dinarilowepupejogadamavij.pdf
  • https://defaico.com/d/files/85555566612.pdf
  • http://www.gametimecatering.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c0e6af70ac6---runugatutakibamodiwi.pdf
  • http://cbelmira.com/wp-content/plugins/super-forms/uploads/php/files/1grkj4jqo59hs3vdaa9kupp5h3/kolisanafewetovizilujevix.pdf
  • http://mousike.it/img_ins/files/daxatotuxuwivakuk.pdf
  • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/S30rS-6n6vg/uplcv?utm_term=chapter+23+section+1+a+new+deal+fights+the+depression
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://dejavu.sourceforge.net
  • http://dejavu.sourceforge.net/wiki/index.php/License

Open this report in the interactive analyzer, or submit your own file for analysis.