Malicious PDF — malware analysis report

Heuristics 5

• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://whitelightdesign.com/wp-content/plugins/super-forms/uploads/php/files/e974786f3632c5c18482072b7b92b651/lutusuket.pdf In PDF document text

  • http://pebyte.com/wp-content/plugins/super-forms/uploads/php/files/nhqvu8tpe5jcf3giis1t1mhl7u/wapapamodofepumisojig.pdfIn PDF document text
  • https://www.gasserbush.com/wp-content/plugins/super-forms/uploads/php/files/e4b7ab72b3a2397b2bf261a236544d62/87750890663.pdfIn PDF document text
  • https://expeditions-travel.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608e511887596---renukab.pdfIn PDF document text
  • https://www.businesswatchguardingservices.co.uk/wp-content/plugins/super-forms/uploads/php/files/4nbfjit9dvg1ub8ft4vt32orkv/52473026228.pdfIn PDF document text
  • http://plenar.hr/wp-content/plugins/formcraft/file-upload/server/content/files/16078b7c0a4403---latiwebajedivoxifazenu.pdfIn PDF document text
  • https://grahampropertytax.com/wp-content/plugins/super-forms/uploads/php/files/befa3ff8665cb1b700beb0d8d1ae872e/referomejakufen.pdfIn PDF document text
  • http://www.rolstoellift.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607c51816cb20---74042786166.pdfIn PDF document text
  • https://hightechrustremovers.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1606c91c7732fb---rifuwanumana.pdfIn PDF document text
  • http://dossalas.com/wp-content/plugins/super-forms/uploads/php/files/faccec43cad6f2fba4ac2ebc8fa93266/vugaseweboxiremamelosi.pdfIn PDF document text
  • https://motionslam.com/wp-content/plugins/super-forms/uploads/php/files/b8cc38733f2c551477440f111713b7de/78505064676.pdfIn PDF document text
  • https://www.straightmyteeth.eu/wp-content/plugins/super-forms/uploads/php/files/6ed28c540f8a3f0273d7ef0563b4fc05/fetegirunaw.pdfIn PDF document text
  • http://subventionsbetrug.de/wp-content/plugins/super-forms/uploads/php/files/7a7grh62gsfdmsm2cbc7vmps1k/30343519345.pdfIn PDF document text
  • https://teenvolunteer.org/wp-content/plugins/super-forms/uploads/php/files/1b938317afab511ecc3367c882ef375d/84927305098.pdfIn PDF document text
  • http://am-assets.com/aom/magnolia/userfiles/file/93624331308.pdfIn PDF document text
  • https://www.higher-energy-trampolineclub.com/wp-content/plugins/formcraft/file-upload/server/content/files/160723e1fe6895---70820785603.pdfIn PDF document text
  • https://chocoinmobiliario.com/wp-content/plugins/super-forms/uploads/php/files/4a95b17e2ff1c861106390229cb683fd/lajatiliwosezize.pdfIn PDF document text
  • http://webscape.co.bw/wp-content/plugins/formcraft/file-upload/server/content/files/16080a11ba14a0---jujazem.pdfIn PDF document text
  • http://recruiters-zone.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608710ca0bb11---luwezodisedo.pdfIn PDF document text
  • https://www.northwoodmedical.ca/wp-content/plugins/super-forms/uploads/php/files/p76bqt2jbsvqirtsq1tdkcbqmf/85616024065.pdfIn PDF document text
  • http://www.ascendercorp.com/In PDF document text
  • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
  • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/3CAf4wW3hvY/uplcv?utm_term=spreadsheet+software+deutschPDF link annotation
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://scripts.sil.org/OFLIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.