Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://mousike.it/img_ins/files/75046211350.pdf In PDF document text

  • http://conwaychristian.org/wp-content/plugins/formcraft/file-upload/server/content/files/160b84004196a9---45814873498.pdfIn PDF document text
  • http://www.fullertherapy.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609fa7c3d0097---boboripigukupajav.pdfIn PDF document text
  • https://vestol.bg/files/file/53789600851.pdfIn PDF document text
  • http://www.fattyweng.com.sg/wp-content/plugins/formcraft/file-upload/server/content/files/160979f099796e---tumevukovenofadibedigi.pdfIn PDF document text
  • http://www.lauricedale.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/1607cc73d01de9---xonolepa.pdfIn PDF document text
  • https://www.isgs.org/wp-content/plugins/super-forms/uploads/php/files/8290f4f3a5850cccb502659b1c213817/jevusiwuzip.pdfIn PDF document text
  • http://fashioncenterpoint.com/wp-content/plugins/super-forms/uploads/php/files/30b476605d459f2cf9de7d26d84de4f2/91216248555.pdfIn PDF document text
  • https://www.rockandroll.blog.br/wp-content/plugins/super-forms/uploads/php/files/mpl7sl3o7mmq6nl65t97p54duh/51446052527.pdfIn PDF document text
  • https://1sis.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607cab2c8a5ae---lamubedafifilepovinu.pdfIn PDF document text
  • http://sladkiy-ostrov.ru/userfiles/files/82541049103.pdfIn PDF document text
  • http://evohome.pl/userfiles/file/sixarebegofutile.pdfIn PDF document text
  • https://kvgrup.com.ua/wp-content/plugins/formcraft/file-upload/server/content/files/16087ed803d57f---24370480938.pdfIn PDF document text
  • https://avgdesign.com/userfiles/file/bimafikagota.pdfIn PDF document text
  • https://alkhairi.co.uk/wp-content/plugins/super-forms/uploads/php/files/1f955e447fe0ea2b6d9802e979e9f729/defekozawelifu.pdfIn PDF document text
  • http://mineraux-et-lithotherapie.fr/ckeditor/upload/files/timosejifosulileb.pdfIn PDF document text
  • http://naitikfashions.com/ckfinder/userfiles/files/piwadifaxumoliwodozatuv.pdfIn PDF document text
  • http://stl-hk.net/userfiles/modimuda.pdfIn PDF document text
  • http://119hero.kr/userData/board/file/8666905360.pdfIn PDF document text
  • https://daleel.global/wp-content/plugins/super-forms/uploads/php/files/4pd04hfnj4jvpne498fmub2poh/mepomuxazevup.pdfIn PDF document text
  • https://hsegroup.ru/wp-content/plugins/super-forms/uploads/php/files/12v62at1rnch2u7dftjn303l87/mirokabatokavuvovig.pdfIn PDF document text
  • http://www.pranabkumar.com/fckimages/file/furukitarulup.pdfIn PDF document text
  • https://amezdigital.com/wp-content/plugins/super-forms/uploads/php/files/51d72a80c740e43ae799542263a7f56a/firikuzabilebudusemisozi.pdfIn PDF document text
  • https://regalcabs.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160bba37e07972---14259202492.pdfIn PDF document text
  • https://feedproxy.google.com/~r/skout/mBVl/~3/fzgW7-mxBc0/uplcv?utm_term=tight+digastric+muscle+symptomsPDF link annotation
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://dejavu.sourceforge.netIn PDF document text
  • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.