Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• Embedded JS stream low PDF_JS
  PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
• External URI info PDF_URI
  PDF contains an external URL action
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://infrive.ru/uplcv?utm_term=tony+hawk+pro+skater+2+android

  • http://ventiliatoriai.lt/js/ckfinder/userfiles/files/30192543381.pdf
  • http://air-con.ru/upload/files/magefavemupavuxipesusapi.pdf
  • https://mimpidia.com/contents/files/12440088503.pdf
  • http://crestviewshopping.abwingsmd.com/uploads/files/fimoxawifejumu.pdf
  • https://genesisbehaviorcenter.com/wp-content/plugins/super-forms/uploads/php/files/2ba6443b6a3d4f143b0b97421be4ce81/29537295556.pdf
  • http://energosol.pl/images_cms/file/17016731251.pdf
  • http://hhsmelt.com/upload/files/junuxi.pdf
  • http://gunjanjain.com/app/webroot/js/uploads/files/bimojuzuvifemedur.pdf
  • http://olivetheater.com/userData/board/file/buwapowokavo.pdf
  • http://pusheng168.com/uploadfiles/20210906200616.pdf
  • https://kompaspt2.com/contents/files/78401848761.pdf
  • http://alacartedesign.de/userfiles/file/siniduduveravivirofexafa.pdf
  • https://fibra-optica.ro/ckfinder/userfiles/files/3022811139.pdf
  • http://simkoongschool.com/uploads/editer/files/95832957874.pdf
  • http://dungcubepgiangtrinh.com/webroot/img/files/63979493863.pdf
  • https://deconkhoemanh.com/wp-content/plugins/super-forms/uploads/php/files/lontd6q9dkrht7i1od834rj2sl/zofidatuzotizesijejufami.pdf
  • https://sieuthigo.vn/upload/ck/files/jebabuze.pdf
  • http://tasteofruraleurope.eu/upload/File/mokavovo.pdf
  • http://skyrun-arser.com/js/fckeditor/editor/filemanager/connectors/php/connector.php/upfiles/file/210921095527016986esd4va.pdf
  • https://member-amz-seller-system.de/wp-content/plugins/super-forms/uploads/php/files/4d98f9dc8f86f74c6d3d91b18b74005d/46501560049.pdf
  • http://na3.it/misc/file/10989273150.pdf
  • https://genesisbehaviorcenter.com/wp-content/plugins/super-forms/uploads/php/files/1ee5ba2e4a58bd62fc2d8fd8146a4fcc/20015839312.pdf
  • http://dejavu.sourceforge.net
  • http://dejavu.sourceforge.net/wiki/index.php/License

Open this report in the interactive analyzer, or submit your own file for analysis.