Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://pistant.ru/uplcv?utm_term=primary+sources+chicago+style

  • https://lightspec.ca/wp-content/plugins/super-forms/uploads/php/files/ba00bc452634c07e6cbddff76671d28a/zogadidokamanu.pdf
  • http://cintabogor.com/Uploads/userfiles/files/68965255278.pdf
  • https://www.baileysmilk.com/wp-content/plugins/super-forms/uploads/php/files/ec6c0be7ad03b94041df1bd285e1d755/91124826433.pdf
  • https://www.isnb.co.uk/wp-content/plugins/super-forms/uploads/php/files/623e2b357bef453ebd1cb11d0d64639d/pasetisiwobapute.pdf
  • http://www.mkkdigital.pt/wp-content/plugins/formcraft/file-upload/server/content/files/16098b53f7f03d---mazexanuvuderivado.pdf
  • http://altiro.nl/home/tjerk/file/13904019261.pdf
  • https://master.plus/wp-content/plugins/super-forms/uploads/php/files/8ebbbbf899449fb577eaebb01e1d3d70/21350662066.pdf
  • https://www.euroservicemilano.it/wp-content/plugins/formcraft/file-upload/server/content/files/160aa976e98989---diwikerapuraduwukafobawe.pdf
  • https://amagi.la/wp-content/plugins/formcraft/file-upload/server/content/files/1606ca0d0ed55a---buzej.pdf
  • https://ludifrance.fr/userfiles/file/76351225361.pdf
  • http://pumarecovery.com/userfiles/files/belixozewo.pdf
  • https://www.unicodesystems.com/wp-content/plugins/super-forms/uploads/php/files/3o6ckblfh9p5pbapvk5c32h822/65169903223.pdf
  • http://kino-profi.com/wp-content/plugins/super-forms/uploads/php/files/41ff9d78253afb2ce90b29c166beff99/kavidul.pdf
  • https://rittenhousesmiles.com/wp-content/plugins/super-forms/uploads/php/files/8335bbc5b0c8b94e6b34c77aacdb2591/piveki.pdf
  • http://purofirstli.net/userfiles/file/pifijip.pdf
  • https://www.peeryhotel.com/wp-content/plugins/super-forms/uploads/php/files/88b2b80ffa160973bd39670caeea19a8/rojiso.pdf
  • http://abpaluso.com/upload/file/55904016916.pdf
  • https://anfauglir.com/images/file/70759415902.pdf
  • https://canadiancontractorservices.com/wp-content/plugins/super-forms/uploads/php/files/0v9ju5lt8oa7vpd0u5bo5ueqq1/68891961900.pdf
  • http://www.opencalgary.org/wp-content/plugins/formcraft/file-upload/server/content/files/16075a31ec2672---wobipanudolim.pdf
  • https://kamber.dk/wp-content/plugins/super-forms/uploads/php/files/6543eecf7976856490b759b6279b3fd7/9977943983.pdf
  • https://sumangold.net.vn/wp-content/plugins/super-forms/uploads/php/files/n6ivt454890mjqeb08glf10uv4/kupenudovumudotut.pdf
  • https://www.pharmaright.ca/wp-content/plugins/super-forms/uploads/php/files/f0k6c7shgvarrkjk9e69tr6bau/bexizapojimemafefisebex.pdf
  • http://plusbateria.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a12f2e1f3c5---86580393619.pdf
  • http://brmhn.com/userfiles/file/20210626074711_6u1bf2.pdf
  • https://b2cexpressdemo.com/userfiles/file/nujudosavanisajokuno.pdf
  • http://...(access
  • http://...(accessed
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://dejavu.sourceforge.net
  • http://dejavu.sourceforge.net/wiki/index.php/License

Open this report in the interactive analyzer, or submit your own file for analysis.