Malicious PDF — malware analysis report

Heuristics 5

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://wastran.ru/uplcv?utm_term=secretary+short+story

  • http://worksafeorg.com/wp-content/plugins/super-forms/uploads/php/files/lvda9ro8njem8cevmnkvfcqkt0/xavalitixukudorotoxamoli.pdf
  • https://nicemexico.net/wp-content/plugins/formcraft/file-upload/server/content/files/160b42d60c2bf7---95736292721.pdf
  • http://bike-aholic.com/UserFiles/file/62478365886.pdf
  • http://cnmrobotics.com/files/files/51626319385.pdf
  • https://laxmigrouppune.com/wp-content/plugins/super-forms/uploads/php/files/78fc9b8fa160755b557ef5c7f01dd8c5/33097204101.pdf
  • https://flycam.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/160870e40e3665---pokizizof.pdf
  • https://www.cibaospalaser.com/wp-content/plugins/super-forms/uploads/php/files/tj0cjb551r7abkk00mf7ckv3no/kujabemekukeli.pdf
  • https://tocgia247.com/wp-content/plugins/super-forms/uploads/php/files/pi7pqc8j16s6bt11h7unqlqm7a/48319856295.pdf
  • https://pikewallis.no/wp-content/plugins/formcraft/file-upload/server/content/files/160788f9220347---34858178602.pdf
  • https://promocionesnma.com/wp-content/plugins/super-forms/uploads/php/files/e3f5fd8f1467c6c680b25e61d067428b/limemizamefofotipo.pdf
  • https://www.accidentinjuryalbuquerque.com/wp-content/plugins/super-forms/uploads/php/files/b8rrnvf2h4mpn7m7482qehnqs8/zetatijufenixijuzafagiri.pdf
  • http://cloverpark1961.com/clients/6/6a/6a73a08bb68f643008adb5efbbb44e43/File/51391188905.pdf
  • https://jollytime.ru/wp-content/plugins/super-forms/uploads/php/files/a72390abc143671cca8900e29704ae5f/62906295760.pdf
  • https://3dreamstudios.com/wp-content/plugins/super-forms/uploads/php/files/10b03203e682788c18d2074c1af91ed3/35146301083.pdf
  • http://www.ascendercorp.com/
  • http://www.ascendercorp.com/typedesigners.html
  • http://scripts.sil.org/OFL

Open this report in the interactive analyzer, or submit your own file for analysis.