Malicious PDF — malware analysis report

Heuristics 5

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://www.davidcosz.de/wp-content/plugins/super-forms/uploads/php/files/t35aln6a74rdddm26pnc76j2nc/12253408344.pdf

  • https://action-roofing.com/wp-content/plugins/super-forms/uploads/php/files/45ab88c5d98369d13584f5d28b66cd31/kesagifupunerodiravini.pdf
  • https://www.ediliziaindustriale.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609ec96935d6c---vuxakejenujiroverofa.pdf
  • http://studioingegneriavaragnolo.com/userfiles/files/74643554650.pdf
  • https://12shio3.com/contents//files/siboxi.pdf
  • http://eko-inwest.eu/upload/file/javubiju.pdf
  • https://lawpropertyconsultants.co.uk/wp-content/plugins/super-forms/uploads/php/files/1ts9oslflflk6v9olu1pqi43e1/rurojajobadat.pdf
  • http://mulroyenvironmental.ie/userfiles/file/niziwozabup.pdf
  • http://pekingtogo.com/uploads/files/kuxagodupiwewoliroviba.pdf
  • https://goldenapp.net/file/tekomonebefijajuje.pdf
  • https://castel.ro/userfiles/file/goburefinavurojiw.pdf
  • https://areshin.ru/wp-content/plugins/super-forms/uploads/php/files/c9fc34788779bea6f4748c6ef2aa1df1/wirosisakosazofer.pdf
  • http://2ds-creations.fr/userfiles/file/fuzokopugesekim.pdf
  • https://dbmotorbrokers.com/userfiles/file/salasiz.pdf
  • http://cec-intl.ru/app/webroot/files/file/92676752958.pdf
  • https://www.lire-les-notes.com/ckfinder/userfiles/files/guzofofef.pdf
  • http://argentum.com/wp-content/plugins/super-forms/uploads/php/files/rn54lvah1ejn47dh0njbj20la8/77997255825.pdf
  • https://editions-tlp.fr/ckfinder/userfiles/files/lupusifedirabedironip.pdf
  • http://africareview.in/userfiles/file/pudarafovarewamemi.pdf
  • https://www.spoton.pet/wp-content/plugins/super-forms/uploads/php/files/ft02314k5f4maar2bb4iratqvl/96145570209.pdf
  • https://nsstore.mx/ckeditor/ckfinder/archivossubidos/files/xowawijuxid.pdf
  • http://zatacorp.com/upload/files/14543214409.pdf
  • http://vaonhaphatphap.com/images/uploads/files/96413102069.pdf
  • http://smithmurdock.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607cbb913b7d6---duzezobanuv.pdf
  • https://feedproxy.google.com/~r/Uplcv/~3/BkSY9tpko7c/uplcv?utm_term=why+is+my+vape+pen+blinking+different+colors
  • http://dejavu.sourceforge.net
  • http://dejavu.sourceforge.net/wiki/index.php/License

Open this report in the interactive analyzer, or submit your own file for analysis.