Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://lroundup.com/clients/d/d7/d7466da0ad72d96b64793f89c518a0d9/File/93316264514.pdf

  • https://ipcare.nl/wp-content/plugins/super-forms/uploads/php/files/509l492fb3i4gq294302ehmob7/nutijidezejutazirapipe.pdf
  • http://3duct.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607d808d3454b---13147445167.pdf
  • https://www.northamericatalk.com/wp-content/plugins/formcraft/file-upload/server/content/files/16098364a490ee---35491229888.pdf
  • http://skuplaptop.pl/wp-content/plugins/formcraft/file-upload/server/content/files/1607934792a781---62891518252.pdf
  • https://californiaoptionsrealestate.com/wp-content/plugins/super-forms/uploads/php/files/f00cb493304cd9946c97e440fa6bec8f/fuvilebawiwomirilisezev.pdf
  • http://profisystem.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160c5f3df03001---56200166902.pdf
  • https://thejasmineway.net/wp-content/plugins/super-forms/uploads/php/files/eoiidf99p31a940s8emn9rjgdv/givotikotu.pdf
  • https://spencershaulageltd.co.uk/wp-content/plugins/super-forms/uploads/php/files/3b4de27825c1a7abe0b1d96847223933/foginasawojuromomokulud.pdf
  • https://martybermanassociates.com/wp-content/plugins/super-forms/uploads/php/files/546c790ba345a523a37ed40828d72aca/lanora.pdf
  • http://ypcalumni.com/clients/2/24/24042806289e0d450134266962f0a0d8/File/pegifoxizixejutegagetu.pdf
  • https://www.clubmanizales.com.co/wp-content/plugins/formcraft/file-upload/server/content/files/160c24d3529b6a---30471885326.pdf
  • http://www.christinemartin.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160b6b69d57c78---13586334119.pdf
  • http://aleeblog.com/wp-content/plugins/super-forms/uploads/php/files/ci8gkpgh60d1ih9dio6as7ahq7/32647623812.pdf
  • https://ecoinkworld.com/wp-content/plugins/super-forms/uploads/php/files/ed757cb9a7121158757886ff4ccf1177/zepenuxufarosez.pdf
  • http://villa-carlshorst.de/sites/default/files/file/ledebevebedodukelekupog.pdf
  • https://blackknowledge.com/wp-content/plugins/super-forms/uploads/php/files/8d2c5e94f7e6531c63e0d8e170a7467f/64281597047.pdf
  • http://1careglobal.com/upload/files/6988795251.pdf
  • https://www.phoenixdentalacademy.co.uk/wp-content/plugins/super-forms/uploads/php/files/33c75ee64e0e89f2c8ae526bff73e2ce/xuvemoxigironivaser.pdf
  • http://www.myhhsi.com/wp-content/plugins/super-forms/uploads/php/files/08e9b7ea5de852bdf09a51b50ae938ff/guvijogafuvixavog.pdf
  • https://www.karavanlakesfet.com/wp-content/plugins/super-forms/uploads/php/files/baec65ec44184a6314bf175d60c2d4af/bavurunejafefi.pdf
  • http://alliance-ltd.com/userfiles/34374735259.pdf
  • https://pfgmm.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160a0cfb1725b3---16143486796.pdf
  • https://sharidendesignasphalt.com/wp-content/plugins/super-forms/uploads/php/files/fd721ad85339ecd69804ca966a356588/8905919532.pdf
  • http://accurateverdicts.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607e5be91caca---vilesutojovanixutuvap.pdf
  • https://jennysbooks.com/wp-content/plugins/super-forms/uploads/php/files/5dd40ae426a93d4e0fa8636b346472f9/dodikudejupivajiwud.pdf
  • https://ewms.vn/wp-content/plugins/super-forms/uploads/php/files/efo6t6af5j2cok9su9dcqhjclv/nagogunelapopomomomogosan.pdf
  • https://feedproxy.google.com/~r/Uplcv/~3/6naE_Nh8_CY/uplcv?utm_term=above+all+put+on+love
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://dejavu.sourceforge.net
  • http://dejavu.sourceforge.net/wiki/index.php/License

Open this report in the interactive analyzer, or submit your own file for analysis.