Malicious PDF — malware analysis report

Heuristics 8

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
  Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
• Brand-impersonation credential phishing lure high SE_BRAND_CREDENTIAL_PHISH
  Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: call-to-action link host does not match the impersonated brand: https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/S30rS-6n6vg/uplcv?utm_term=dormant+meaning+in+marathi.
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
  Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://infoenergie-loire.org/userfiles/file/83827771459.pdf In PDF document text

  • https://mikepromedia.com/wp-content/plugins/super-forms/uploads/php/files/tm53t3f33earufr1e3l38c4ul4/26009773352.pdfIn PDF document text
  • https://masihpt2.com/contents//files/59376658993.pdfIn PDF document text
  • http://anaminfo.com/attachfile/file/kewexejejoxewodubasikewa.pdfIn PDF document text
  • https://ethiquedevelopers.com/wp-content/plugins/super-forms/uploads/php/files/f8996d938f08a7c36f9b0c05fa09229c/97230317105.pdfIn PDF document text
  • https://akproauto.com/nbloom/fckuploads/file/jadefifo.pdfIn PDF document text
  • http://gopherandsquirrelcontrol.com/admin/images/file/zabasefi.pdfIn PDF document text
  • https://advicezone.org.uk/wp-content/plugins/super-forms/uploads/php/files/jqssumljndc0u9qfa4nfh5ahgi/ketegibako.pdfIn PDF document text
  • http://barudan.hk/UploadFile/file/20210629152653036.pdfIn PDF document text
  • http://meyanko.com/userfiles/file///65444979075.pdfIn PDF document text
  • https://www.cocochan.com.pk/wp-content/plugins/super-forms/uploads/php/files/a95c7e9539702c225d831aa7ec0d927d/61036833725.pdfIn PDF document text
  • http://www.gunyagder.org.tr/wp-content/plugins/super-forms/uploads/php/files/kllccllpu749oae4ojjhqu6bh3/5235141124.pdfIn PDF document text
  • https://opsclown.it/ckfinder/userfiles/files/jukowavuxudujuguguga.pdfIn PDF document text
  • https://capitaleny.com/wp-content/plugins/super-forms/uploads/php/files/180d4fc4d6dbdf378953a7e5635fb521/danadi.pdfIn PDF document text
  • http://nomaquito-travel.com/editor-images/36593299654.pdfIn PDF document text
  • http://camionespanamericana.com/userfiles/file/3830643186.pdfIn PDF document text
  • http://ljhalls.com/wp-content/plugins/super-forms/uploads/php/files/0637cb6bcc25ecd4a41fc4cef9183312/82431134278.pdfIn PDF document text
  • https://www.quatainvestimentos.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1609d9d919f3d8---51111593727.pdfIn PDF document text
  • http://lotusromeo.fr/app/webroot/files/userfiles/files/fovefof.pdfIn PDF document text
  • https://agrilaui.com/userfiles/file/wazoruvovorixesadinunenod.pdfIn PDF document text
  • https://askopenko.com/wp-content/plugins/super-forms/uploads/php/files/192ac510351e74a0146a09992dd4d492/fazizobifatinede.pdfIn PDF document text
  • http://ecovn.vn/uploads/news_file/lapasivetisubo.pdfIn PDF document text
  • https://goldenparadisestsimons.com/wp-content/plugins/super-forms/uploads/php/files/e68a7e8a219fc5246e543b33d3f3d51a/33061570956.pdfIn PDF document text
  • https://kfz-gutachter-oliver-schiller.de/wp-content/plugins/formcraft/file-upload/server/content/files/1609ff00293ed7---96683123352.pdfIn PDF document text
  • https://accesoriosalmayor.com/images/userfiles/file/1285434928.pdfIn PDF document text
  • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/S30rS-6n6vg/uplcv?utm_term=dormant+meaning+in+marathiPDF link annotation
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://dejavu.sourceforge.netIn PDF document text
  • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.