Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://www.bluegreenshouseboats.in/wp-content/plugins/formcraft/file-upload/server/content/files/160944ef2ae95f---xasewusu.pdf

  • https://monographie.com/ckfinder/userfiles/files/62302591257.pdf
  • http://diagonal.org.ar/wp-content/plugins/formcraft/file-upload/server/content/files/1607700485dae3---rimorodupu.pdf
  • https://www.generalutilities.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b398e57ceba---noxuxejelopu.pdf
  • https://jaunimodienos.lt/wp-content/plugins/super-forms/uploads/php/files/rd8cd59q5jv9cr5tcokh42454q/vovesixidimevod.pdf
  • https://reifenscho.de/wp-content/plugins/formcraft/file-upload/server/content/files/160b567a8493f4---49915249843.pdf
  • https://www.chartsunlimited.com.ph/wp-content/plugins/formcraft/file-upload/server/content/files/160796084b741e---24172048886.pdf
  • https://all-stage-meditation.tw/uploads/files/60bd5d50c9074.pdf
  • https://baconbites.com/wp-content/plugins/super-forms/uploads/php/files/6ihm7t9ktghraa7tqtproc30n0/29080522710.pdf
  • https://indacphuc.com/wp-content/plugins/super-forms/uploads/php/files/isn5ld6fap93g639ffhdvv8rcu/92387363933.pdf
  • http://www.orhancoskun.com/wp-content/plugins/formcraft/file-upload/server/content/files/16090c00413780---jotoze.pdf
  • https://fastcomputer.vn/wp-content/plugins/super-forms/uploads/php/files/e7c9d8b458d7aeb5be317da1e4690922/15873556969.pdf
  • https://limpjet.com.br/wp-content/plugins/super-forms/uploads/php/files/4392ff1c4e0c29f78df1492757f1d873/guxupulubixotudumi.pdf
  • http://idcla.net/upload/files/97129437752.pdf
  • http://penzionklara.cz/userfiles/file/fufimirosafupimure.pdf
  • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a6244ae4f17---gevizimasojewowa.pdf
  • http://rosniyom.com/userfiles/files/70181470312.pdf
  • http://timebank.ru/sites/default/files/photos/pagefile/rudetajiritadag.pdf
  • https://www.paparazzirestaurant.com.au/wp-content/plugins/super-forms/uploads/php/files/4fb9b7966ecc2bf3d34cda3ee5937187/pazapel.pdf
  • https://www.growxponential.com/wp-content/plugins/super-forms/uploads/php/files/8agd01mt6p7tq3dasf45rbqkij/57998300135.pdf
  • https://www.intermediastudios.com.mx/wp-content/plugins/super-forms/uploads/php/files/240ec09b33b8a7d2cfb3189e2c9af4c8/rosejusuxuguxupo.pdf
  • https://www.actionconstructionjax.com/wp-content/plugins/super-forms/uploads/php/files/3651cab9a13e5f59fad11c9ff05f1b5b/11606344784.pdf
  • http://mesterek.net/tmp/3636382317.pdf
  • https://www.heainc.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c171b7b9de5---pedupupagovozapekopu.pdf
  • http://amsaneeraus.fi/userfiles/files/35301600048.pdf
  • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/BkSY9tpko7c/uplcv?utm_term=create+multiple+pdfs+from+excel
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://dejavu.sourceforge.net
  • http://dejavu.sourceforge.net/wiki/index.php/License

Open this report in the interactive analyzer, or submit your own file for analysis.