Malicious PDF — malware analysis report

Heuristics 7

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
  PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Embedded JS stream low PDF_JS
  PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://2greenchicks.com/wp-content/plugins/super-forms/uploads/php/files/5e8aca4a1770fafbc91c37c43ce035a8/3677836237.pdf In PDF document text

  • https://dmddsgn.com/wp-content/plugins/super-forms/uploads/php/files/29e45ea9860bb56f9bed1f58f7af4a1f/xelagafaxefefaxikolu.pdfIn PDF document text
  • https://carpanea.it/wp-content/plugins/super-forms/uploads/php/files/cd9a65d9b244fcd49fd7fcb1f77caa86/90019842946.pdfIn PDF document text
  • http://theeultimatenetworker.com/ckfinder/userfiles/files/20005399561.pdfIn PDF document text
  • https://slavica.ru/wp-content/plugins/super-forms/uploads/php/files/1b1736fac37f6d7b28d97dba2bf7c27e/goturejisa.pdfIn PDF document text
  • http://andreagarciam.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607885ac56a09---jazalojofevalopidu.pdfIn PDF document text
  • https://coachtourbusrental.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c958c048ca9---67183960407.pdfIn PDF document text
  • https://k-kompany.ru/wp-content/plugins/super-forms/uploads/php/files/80992d2663c49cc5b33b357aa7df772f/98493296692.pdfIn PDF document text
  • https://action-roofing.com/wp-content/plugins/super-forms/uploads/php/files/f42a046867020faec615fc0bf13b0ec9/73557018654.pdfIn PDF document text
  • https://gamletaarnhuset.no/wp-content/plugins/formcraft/file-upload/server/content/files/160ad98909a406---33149806239.pdfIn PDF document text
  • http://thankschicken.com/uploads/files/luxijulemoruwu.pdfIn PDF document text
  • https://senzedigicraft.com/wp-content/plugins/super-forms/uploads/php/files/86bd329609dd4af9311fb151a25eed1f/zatosoxaxilozisaf.pdfIn PDF document text
  • http://ahlhy.com/uploads/file/260713077415.pdfIn PDF document text
  • http://adhdadvisory.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a1b4d691314---ruradozanajananid.pdfIn PDF document text
  • http://burningspearmarketplace.com/js/ckfinder/userfiles/files/30827476271.pdfIn PDF document text
  • https://alnahamgroup.com/userfiles/file/44148972751.pdfIn PDF document text
  • http://www.absolutecateringla.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b2d36719e48---79926054019.pdfIn PDF document text
  • http://voxel-avocats.fr/uploads/file/rapapidonivoxisajuj.pdfIn PDF document text
  • http://bogelaipigeon.com/upload/file/74633044341.pdfIn PDF document text
  • https://emergent-partners.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c9eead011a1---28084126952.pdfIn PDF document text
  • http://at2apigroup3.com/contents//files/kimupujugefuvo.pdfIn PDF document text
  • http://zawayakw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16087b7e6a0577---mezefiraguxibumoko.pdfIn PDF document text
  • https://samiznojmo.cz/wp-content/plugins/super-forms/uploads/php/files/5fdba74ad56e23d264fb966bf786643c/85430045286.pdfIn PDF document text
  • https://feedproxy.google.com/~r/Uplcv/~3/YTWXjIUwRh0/uplcv?utm_term=cliff+notes+biology+pdfPDF link annotation
  • http://e1pl2.nazwa.pl/busy/fotki/file/tupuxigag.pdfIn PDF document text
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://dejavu.sourceforge.netIn PDF document text
  • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.