Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://oniceh.ru/uplcv?utm_term=fce+practice+tests+paper+3+use+of+english+answers

  • https://dixietemporarystorage.com/wp-content/plugins/super-forms/uploads/php/files/944aec7066b29a601348edf98196a180/90484468423.pdf
  • https://www.keystonecare.co.uk/wp-content/plugins/super-forms/uploads/php/files/f915057f52e8d2c724a7a387b6771eac/tagazixovogilisawifuvanon.pdf
  • https://www.kalirich.com/wp-content/plugins/super-forms/uploads/php/files/s1vmfuutv3iicfq8j8ke02ne95/59774858862.pdf
  • http://www.highlandmetals.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/1607300a77aa76---78866503270.pdf
  • http://asu.com.vn/wp-content/plugins/super-forms/uploads/php/files/g5tk7ej8amudhuk1gi5qhur23u/senarokokibaweduvi.pdf
  • http://pbsdeltarho50events.org/clients/d/dc/dc3fcb918f61c9276c5829b035df2abc/File/44412753839.pdf
  • http://www.melloecastro.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608435fbc6ad7---13436026667.pdf
  • https://dsodrecital.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607a6481b96b0---volorevexuvemusotisi.pdf
  • http://www.webtony.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16085846f631e6---65168151341.pdf
  • http://themultifold.com/wp-content/plugins/super-forms/uploads/php/files/5tn6p3v1ub0d8t2sp1u2t5mlj1/72952708510.pdf
  • http://svs-pm.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608308e4ce469---samilegatovevibegul.pdf
  • http://birzebbugastpetersfc.com/files/file/7181521326.pdf
  • http://sylvianapoles.com/clients/e/e6/e63d90d46a840f0b3195f531cec11f6e/File/zasonebomibemi.pdf
  • http://ztkammer.at/uploads/file/28931753163.pdf
  • http://www.saraviation.com/wp-content/plugins/formcraft/file-upload/server/content/files/16079b568aa033---wapozuvaduvusoxikuvomemiw.pdf
  • http://pavcargo.ru/wp-content/plugins/super-forms/uploads/php/files/e7361d793063b0d4d92583d3d225ea27/zelevolulimitukinovoj.pdf
  • https://www.c2commercial.com/wp-content/plugins/super-forms/uploads/php/files/d9bb9c5b90202fb4e09e3a3ef0cfb004/bedimazegowefetokixize.pdf
  • https://fjordancv.info/wp-content/plugins/super-forms/uploads/php/files/21ef4a3bb6187488d154b62b46904b9e/ximaw.pdf
  • https://www.vigo.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/160c31ef91e876---67497716014.pdf
  • http://kaufdeinauto.de/wp-content/plugins/formcraft/file-upload/server/content/files/1607f60134c6f9---13380061962.pdf
  • https://drmiamiconnect.com/wp-content/plugins/super-forms/uploads/php/files/53deca328ad8c38b58fe905f3848a981/51001424889.pdf
  • https://www.fifatravels.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609a66d038ddf---lusafibuxasopijib.pdf
  • https://gofropack.com/wp-content/plugins/super-forms/uploads/php/files/8eaf79add5bae9159f221dca7dff9a2e/95834040616.pdf
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://dejavu.sourceforge.net
  • http://dejavu.sourceforge.net/wiki/index.php/License

Open this report in the interactive analyzer, or submit your own file for analysis.