Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://irlanc.ru/uplcv?utm_term=dyeing+fabric+with+avocado

  • https://lescourailleurs.com/upload/editor/file/gimovoxuwopixav.pdf
  • https://ilc.ua/wp-content/plugins/super-forms/uploads/php/files/3g037tfstgtjhps3fhnr3dmsq0/27835332894.pdf
  • http://vilaportugal.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b66e3971f24---kavareweronivusosudova.pdf
  • https://tiklatakip.com/calisma2/files/uploads/tewoputodejeziwegisetuje.pdf
  • https://yastudio.net/wp-content/plugins/super-forms/uploads/php/files/6485debcee65b020ee59cb00b7139680/kajoleviribufanimesuwu.pdf
  • https://sellos-mecanicos.com/wp-content/plugins/super-forms/uploads/php/files/0c784835163e90dc67b1e421da1c38dc/texumoriganorazixob.pdf
  • http://ciarajewellery.com/editor_upload/file/fomobililubelukipiwabi.pdf
  • https://www.opdrrustukalac.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bf85cd5cb32---reniso.pdf
  • https://htddienstverlening.nl/userfiles/file/viselorakusonukevelina.pdf
  • https://xn----8sbaavnccwq4am.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/9dc83bec9f831fcb68c35d14c7662fb3/binaponodokolazepaw.pdf
  • http://www.adanakursmerkezi.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607281c6e542e---nuvute.pdf
  • http://fogathajtohirek.hu/fckfiles/file/10413715020.pdf
  • http://nuyewpilot.academy/wp-content/plugins/super-forms/uploads/php/files/2246d8d03fc07f60470d3d218a419e6c/zajagofibelidovulufovu.pdf
  • https://thewentworthco.com/wp-content/plugins/super-forms/uploads/php/files/e1ov8pamqd7295stuu052cf2i2/14329504612.pdf
  • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160856b9263a36---47272562462.pdf
  • http://stavebnevyrobky.sk/www/upload/files/vedoliwam.pdf
  • https://hr-serdahel.hu/images/file/11340074095.pdf
  • https://regalcabs.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1608268c941eab---8561951877.pdf
  • http://beetsom.com/PROGRAM_FCKeditor_UserFiles/file/12241710960979e255a385.pdf
  • https://pilotcenter.gr/wp-content/plugins/super-forms/uploads/php/files/ui3420rnj4s3mo5jj6vppo6cjp/55663055173.pdf
  • https://www.northamericatalk.com/wp-content/plugins/formcraft/file-upload/server/content/files/16085602c126bb---50624303825.pdf
  • https://gpuhub.net/wp-content/plugins/super-forms/uploads/php/files/82ec9sui9ja741fvdu4s36qued/rajanabir.pdf
  • https://sipsib.ru/wp-content/plugins/super-forms/uploads/php/files/cdfa25997b8570716ad50eb2d54d5efb/vumutoma.pdf
  • http://ausafe.net/images/art/files/rekokafisazidonomukir.pdf
  • http://ohsclassof73.com/clients/9/9a/9a21b0b253f7c4eafe662346d237c286/File/3773225816.pdf
  • http://www.cuerpomenteyespiritu.es/wp-content/plugins/formcraft/file-upload/server/content/files/1608fa42af2b6b---muvikasaxugogexibu.pdf
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://dejavu.sourceforge.net
  • http://dejavu.sourceforge.net/wiki/index.php/License

Open this report in the interactive analyzer, or submit your own file for analysis.