Malicious PDF — malware analysis report

Heuristics 7

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
  Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://soxebez.ru/award?keyword=botswana+population+census+2020+pdf PDF link annotation

  • https://tefuledajejus.weebly.com/uploads/1/3/1/4/131437322/lozizos.pdfIn PDF document text
  • https://kiseridebajesa.weebly.com/uploads/1/3/1/4/131408791/rozijujekedupelisad.pdfIn PDF document text
  • https://dinowupeguf.weebly.com/uploads/1/3/1/3/131379410/6efbdf70fc312.pdfIn PDF document text
  • http://medemukiduba.sportsontheweb.net/el_hombre_mas_rico_de_babilonia_audiolibro_completo_voz_humana.pdfIn PDF document text
  • https://ronukava.weebly.com/uploads/1/3/4/8/134885886/sozubafofileja.pdfIn PDF document text
  • http://nezowigivomi.scienceontheweb.net/2013_subaru_impreza_hatchback_speaker_size.pdfIn PDF document text
  • https://gipulafu.weebly.com/uploads/1/3/4/4/134442702/98d57c37a6.pdfIn PDF document text
  • https://tefuledajejus.weebly.com/uIn macro / runtime command snippet
  • http://www.ascendercorp.com/In PDF document text
  • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
  • https://f110cc6a-49d6-427c-9ab6-a3a4d323b004.filesusr.com/ugd/9e53d4_f9909908aed345a683d4050669b1d7c8.pdf?index=trueIn PDF document text
  • http://jisijuvod.myartsonline.com/windows_powershell_v1.0_virus.pdfIn PDF document text
  • https://d64d5b41-a66a-4b78-b87f-0feaf8e9cf76.filesusr.com/ugd/cf1aed_c3b5c59e1ebb4034bd4ebc9b78d6e29f.pdf?index=trueIn macro / runtime command snippet
  • https://edcb5511-827b-40b0-97c1-3499c313f96b.filesusr.com/ugd/0779a3_36d449c0f47c4633838bc007dc7ed8df.pdf?index=trueIn PDF document text
  • https://724418e0-3ace-43c1-abd8-628b4820fc71.filesusr.com/ugd/6df952_7e8d01ff7af14e9a98ec2ed4f7d69373.pdf?index=trueIn PDF document text
  • https://9cf5cc10-3c2e-4e30-ae6b-73ed7beed88a.filesusr.com/ugd/5c2b46_73ffcc5fb4ba40468ba0e77bc5f126dc.pdf?index=trueIn PDF document text
  • https://bed1e925-73f7-457c-87ff-53f226988024.filesusr.com/ugd/d4a8ce_33cdc623600a49d992140f88d5f63241.pdf?index=trueIn PDF document text
  • https://51bf459c-6b46-41b0-863f-532cf8a77e0d.filesusr.com/ugd/2eedf1_0c5813dba5944ff29df7a9c09436ed5e.pdf?index=trueIn PDF document text
  • https://6bc553e5-d0de-4278-827a-c77c8eb32fbd.filesusr.com/ugd/4a6c57_e0b1dc34d3494276a84aa219c9c17de6.pdf?index=trueIn PDF document text
  • https://1b3fde16-7575-45ba-b40e-8916c64185ca.filesusr.com/ugd/8874e8_487fdb20cd404249b0858a58eebd535a.pdf?index=trueIn PDF document text
  • http://jezevenakos.myartsonline.com/34642089270.pdfIn PDF document text
  • https://d4f1f58f-bd44-402a-a4b0-a3aa01e36dbf.filesusr.com/ugd/dffefa_3b15627d48004a07b10d5e26576bdf29.pdf?index=trueIn PDF document text
  • https://ff9dba89-6132-4485-99c2-ace8a2453124.filesusr.com/ugd/c3f59f_45264063d6544a9e91b9bfd914a0ecc7.pdf?index=trueIn PDF document text
  • https://3c4962d9-41f7-4f14-8396-dad57cc8de20.filesusr.com/ugd/a2de88_7d544014638e4ed0a2de309142e8ab37.pdf?index=trueIn PDF document text
  • https://d650f791-4ca6-4964-96f1-ba9fac0414c1.filesusr.com/ugd/adf9cb_97a957aae6b64c9a9cd8973858ab7a7f.pdf?index=trueIn PDF document text
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://scripts.sil.org/OFLIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.