Malicious PDF — malware analysis report

Heuristics 7

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
  Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://traviet36.com/upload/files/ligoritopatarozalu.pdf In PDF document text

  • https://noble-worldwide.com/wp-content/plugins/super-forms/uploads/php/files/77a82a8e77ecb3b8dc43745bf7049c7e/gufakemadi.pdfIn PDF document text
  • https://alenakovalchuk.ru/wp-content/plugins/super-forms/uploads/php/files/35da4a4f7f5c549f6071640a19a0d1f3/gelanejobidedasamud.pdfIn PDF document text
  • https://esteticarcare.com/wp-content/plugins/super-forms/uploads/php/files/c7865bb700fd4dae7f5e6e10165a1d75/90069379300.pdfIn PDF document text
  • http://absolutelyneon.com/userfiles/file/mozuzu.pdfIn PDF document text
  • http://optimus.org.au/wp-content/plugins/formcraft/file-upload/server/content/files/160a8515f90c9e---xusilo.pdfIn PDF document text
  • http://www.airportlimofortlauderdale.net/wp-content/plugins/formcraft/file-upload/server/content/files/16093f4050e992---janebogafowagad.pdfIn PDF document text
  • https://candbco.com/ckfinder/userfiles/files/vapamufogosazaw.pdfIn PDF document text
  • http://ilyxrace.com/userfiles/files/rofom.pdfIn PDF document text
  • http://nnk.gr/wp-content/plugins/formcraft/file-upload/server/content/files/160c70d3d86d6a---12609245758.pdfIn PDF document text
  • https://www.hotel-palladium.gr/wp-content/plugins/super-forms/uploads/php/files/81iiimmohu60v6pd17phppiqms/difogufemozopad.pdfIn PDF document text
  • http://kingspec.su/wp-content/plugins/super-forms/uploads/php/files/agbfp6je95pgvq5ckg2qskui4p/69776307988.pdfIn PDF document text
  • https://mytutr.com/wp-content/plugins/super-forms/uploads/php/files/ff7bf296ca28a640607fb1041288ae0b/rawebewegazimorivetu.pdfIn PDF document text
  • https://mytutr.com/wp-content/plugins/super-forms/uploads/php/files/1f2d85c9fada6fb7fa6aeb2dddd12549/14942212146.pdfIn PDF document text
  • http://doktor-okonski.pl/uploadimg/file/bopunujetopiduv.pdfIn PDF document text
  • https://www.wflorlando.com/wp-content/plugins/super-forms/uploads/php/files/7e8e3e4916dfc56cd121583bdf27eacd/tawibefoj.pdfIn PDF document text
  • http://exlluprimebrochure.com/ckupload/files/lamixejofulisigubixunis.pdfIn PDF document text
  • https://standsimulator.com/ckfinder/userfiles/files/76299503371.pdfIn PDF document text
  • https://www.rockandroll.blog.br/wp-content/plugins/super-forms/uploads/php/files/cr8elta1e7fjqg01ncfsu0hq53/59717212388.pdfIn PDF document text
  • https://bawwabatrizq.com/userfiles/file/lijoril.pdfIn PDF document text
  • http://www.training4thefuture.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/16092b08e642ca---vovirozonitejujopiwupaga.pdfIn PDF document text
  • http://stuarteisbrucklaw.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/19802804613.pdfIn PDF document text
  • https://xn----8sbaavnccwq4am.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/3f8b2aa0299fd2131ce5746853cbccde/72871369813.pdfIn PDF document text
  • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/zMnd8XtcwSM/uplcv?utm_term=sharepoint+online+information+rights+managementPDF link annotation
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://dejavu.sourceforge.netIn PDF document text
  • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.