Malicious PDF — malware analysis report

Heuristics 6

• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• AcroForm button with action trigger low PDF_ACROFORM_BUTTON
  PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://jacksth.ru/strik?utm_term=gerund+infinitive+participle+worksheet+pdf

  • https://cdn-cms.f-static.net/uploads/4409997/normal_5fe8157620028.pdf
  • http://xuvepawa.iblogger.org/23711427964.pdf
  • http://labiluwewinedu.22web.org/cursed_texture_pack_minecraft.pdf
  • http://dawirepitugijix.22web.org/verizon_fios_business_customer_service_phone_number.pdf
  • https://cdn-cms.f-static.net/uploads/4366339/normal_6031891e9f732.pdf
  • https://cdn-cms.f-static.net/uploads/4466391/normal_603aa7bc26ed8.pdf
  • https://static.s123-cdn-static.com/uploads/4409623/normal_5fddd87fafe2f.pdf
  • http://vujivozopix.iblogger.org/greys_anatomy_book_series.pdf
  • https://cdn-cms.f-static.net/uploads/4393209/normal_6025f2d89412f.pdf
  • http://www.ascendercorp.com/
  • http://www.ascendercorp.com/typedesigners.html
  • https://bb491b24-4c81-4ccc-8daa-bf1baeb171c2.filesusr.com/ugd/93c935_d04fad5c141b44dcae83240c46c39bd2.pdf?index=true
  • https://a8a70d16-e3f0-4805-b115-4d8c62c40b57.filesusr.com/ugd/82e28d_3a51a673ffbd4cd6b79a0f9c22ffd364.pdf?index=true
  • https://99516632-72ce-40f3-a9a1-a01c91361c65.filesusr.com/ugd/e42c35_a1d64fc97779469297bfcdcb2e33ffd4.pdf?index=true
  • https://0f926834-650c-4d5a-b53c-ad60ae412ccc.filesusr.com/ugd/6a44d8_c51f19efa9d945889ae5a51c42337f82.pdf?index=true
  • https://b4e79a3f-0083-4b26-8056-4fe87fb46dfd.filesusr.com/ugd/332c1b_1dda930932334d9bb7d6d020aad0e278.pdf?index=true
  • http://sajorasuxanuvil.epizy.com/picsart_apk_untuk_laptop.pdf
  • https://ad9f1622-e3b7-49db-bfef-326c48fb2104.filesusr.com/ugd/a467d2_3c95c6de67a5493691da93c5d028dffa.pdf?index=true
  • https://s3.amazonaws.com/jowutoneranemuk/senupemonikofikibigap.pdf
  • https://s3.amazonaws.com/tasufagijaremo/begum_jaan_full_movie_filmyzilla.pdf
  • http://xusonusoxe.epizy.com/72633201046.pdf
  • https://s3.amazonaws.com/megujobemegor/monster_manual_3.5_3.pdf
  • https://e8dc5420-792a-4861-90db-09cfc8d8a7d1.filesusr.com/ugd/1378f5_0af063517b014fedbcf6f30a6ad70c88.pdf?index=true
  • https://ca39a19f-16f9-469f-ab0b-65ec0463b8d0.filesusr.com/ugd/cc9b97_2e88573cd1314f5d8d7045f0ec61930d.pdf?index=true
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://scripts.sil.org/OFL

Open this report in the interactive analyzer, or submit your own file for analysis.