Malicious PDF — malware analysis report

Heuristics 5

• ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://www.reliancecareuk.com/wp-content/plugins/super-forms/uploads/php/files/cff36713bb1c748dde7246ef0c12d546/6880514737.pdf

  • https://bladmedyczny24.pl/wp-content/plugins/super-forms/uploads/php/files/866d733c906a861d1eb666e72cb3a3a7/losepibubilitifatubaj.pdf
  • https://cgeminfos.ma/upload/file/kagejuk.pdf
  • http://aptchasers.com/FCKeditor/userfiles/file/virawaxodowawasipola.pdf
  • https://www.aserspa.net/wp-content/plugins/super-forms/uploads/php/files/gij9kspracktih0g17o0osru8f/83111317993.pdf
  • http://garderoba.sk/images/_file/47503054527.pdf
  • https://www.birdandwildlifeteam.com/wp-content/plugins/formcraft/file-upload/server/content/files/160868feabdc58---taxiruwodasavet.pdf
  • http://www.pirac.org/wp-content/plugins/super-forms/uploads/php/files/f46f073ae4bf8ebfac0c39c55abfb301/mutovobe.pdf
  • http://activesolutionelectric.com/images/file/76636202698.pdf
  • http://www.gcsystem.pl/wp-content/plugins/formcraft/file-upload/server/content/files/16093d1e71b8cf---kabizeralurisan.pdf
  • https://thewaves.net/wp-content/plugins/super-forms/uploads/php/files/7h01kt1fsnoude0k43g3mp3php/52171210378.pdf
  • https://www.sixteengrams.com/wp-content/plugins/super-forms/uploads/php/files/3gj7p7qrnfpn1no81ii7n9na0b/nomomuvajirevokolife.pdf
  • http://www.naturapreserved.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607c7efe6641e---28163101386.pdf
  • http://tavernadelsnoguers.com/wp-content/plugins/super-forms/uploads/php/files/6b9e015c22539ac28b078c438a0bdc8e/wexetepikuxobaraso.pdf
  • http://www.radiopopiatej.com/wp-content/plugins/formcraft/file-upload/server/content/files/160836bb408ea3---xepuniputugokis.pdf
  • http://www.ascendercorp.com/
  • http://www.ascendercorp.com/typedesigners.html
  • https://feedproxy.google.com/~r/skout/mBVl/~3/LPIa9PGmDLg/uplcv?utm_term=bugdom+1+free++mac
  • http://scripts.sil.org/OFL

Open this report in the interactive analyzer, or submit your own file for analysis.