Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• Embedded JS stream low PDF_JS
  PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
• External URI info PDF_URI
  PDF contains an external URL action
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://www.areatransfers.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607f93534c26f---rarudelukakor.pdf In PDF document text

  • https://coloreverything.love/wp-content/plugins/super-forms/uploads/php/files/cc0cee580be2f5c1bb81dad43d0e07f3/pikonebun.pdfIn PDF document text
  • http://akcjonariusz.com/UserFiles/file/86293444378.pdfIn PDF document text
  • https://www.parkgest.ch/wp-content/plugins/formcraft/file-upload/server/content/files/160893109ec89e---9040975648.pdfIn PDF document text
  • http://lavalnerina.it/userfiles/file/xatojafimiwidarefinaditon.pdfIn PDF document text
  • http://theopenhouseclub.com/wp-content/plugins/super-forms/uploads/php/files/66c17c4bdbd685cb6aa2219f9fc51696/xuvoraliwufogajate.pdfIn PDF document text
  • https://velvetskin.pl/wp-content/plugins/super-forms/uploads/php/files/52e79349836f82f97c0932f23680be49/kefaxuzaxatobimixufoxus.pdfIn PDF document text
  • http://opalbiosciences.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608a933de3f09---56108118801.pdfIn PDF document text
  • https://www.acptechnologies.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609ff84a4e753---63800533113.pdfIn PDF document text
  • http://erbilsunhotel.com/wp-content/plugins/super-forms/uploads/php/files/o45u0rubimdfijcvch2qs087l7/nogal.pdfIn PDF document text
  • http://www.oknookna.pl/wp-content/plugins/formcraft/file-upload/server/content/files/1607d150114594---muzalogujipokasaxasif.pdfIn PDF document text
  • https://medicinasolidale.org/wp-content/plugins/super-forms/uploads/php/files/f8275048b8717451e28345e2f6a82d63/zetoxowozubekeluku.pdfIn PDF document text
  • https://ccveg.org/wp-content/plugins/super-forms/uploads/php/files/aah405frqcontpi66qegnjh1ic/vifivapikujepi.pdfIn PDF document text
  • http://test.uebersetzungen-nesselberger.de/wp-content/plugins/formcraft/file-upload/server/content/files/160a27e09727c6---75482246825.pdfIn PDF document text
  • http://www.empresasdelimpeza.info/wp-content/plugins/formcraft/file-upload/server/content/files/1607d1bee5a658---3713450335.pdfIn PDF document text
  • https://rffsev.ru/wp-content/plugins/super-forms/uploads/php/files/5b298dd6d21c7f136ea5811a7f69f8ce/zaragokeme.pdfIn PDF document text
  • http://premiumresourcing.com/wp-content/plugins/formcraft/file-upload/server/content/files/160767aec2a045---lagixarovenoruti.pdfIn PDF document text
  • https://www.opdrrustukalac.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606e7a3b9804f---juvuridumed.pdfIn PDF document text
  • https://svetpoznaniyaonline.ru/wp-content/plugins/super-forms/uploads/php/files/9badebb0204c6ab4ae7e692389a486e4/10621024230.pdfIn PDF document text
  • https://aspaeng.com/files/image/files/lifagiliravuburapo.pdfIn PDF document text
  • http://masonlegacy.org/clients/61515/File/31112442090.pdfIn PDF document text
  • http://southwest66reunion.com/clients/f/f6/f6f8b7bd17d60304c359e527a2c43449/File/96551326852.pdfIn PDF document text
  • http://tsutae-f.com/js/upload/files/gafebumebuda.pdfIn PDF document text
  • https://trucraftsmanship.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c9737fa7ef9---16242191038.pdfIn PDF document text
  • http://www.nuricomuvakfi.org/wp-content/plugins/super-forms/uploads/php/files/g7tkl31h1r5t8l57h5mhrsde34/pujefagelixetuxopomexo.pdfIn PDF document text
  • https://www.kunapak.com/wp-content/plugins/super-forms/uploads/php/files/h7r2mfsqrb7n1ef0nduuhn475h/49439736550.pdfIn PDF document text
  • https://feedproxy.google.com/~r/skout/mBVl/~3/GLLx1DTH0VQ/uplcv?utm_term=is+oxidation+an+exothermic+or+endothermic+reactionPDF link annotation
  • http://dejavu.sourceforge.netIn PDF document text
  • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.