Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://baarspo.ru/strik?utm_term=ti+nspire+cx+cas+vs+hp+prime+v2 PDF link annotation

  • https://cdn-cms.f-static.net/uploads/4463286/normal_6029e0a9ba26a.pdfIn PDF document text
  • https://static.s123-cdn-static.com/uploads/4368970/normal_5fce5abd7f2db.pdfIn PDF document text
  • https://cdn.sqhk.co/komagiju/aNhejjy/reaper_leviathan_locations_map.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4493578/normal_6023505626f0b.pdfIn PDF document text
  • https://cdn.sqhk.co/jorawuge/gfj3heA/banifajer.pdfIn PDF document text
  • https://static.s123-cdn-static.com/uploads/4447669/normal_5ff87352833bc.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4412570/normal_604206001d759.pdfIn PDF document text
  • https://cdn.sqhk.co/tirinakiweda/m5aaRgG/polowu.pdfIn PDF document text
  • https://static.s123-cdn-static.com/uploads/4501383/normal_5ff3b97213bee.pdfIn PDF document text
  • https://cdn.sqhk.co/jasurisunav/hjMhtid/wood_shop_bbq_yelp.pdfIn PDF document text
  • https://cdn.sqhk.co/lomasamube/ejjVbTH/coronavirus_briefing_time_sunday_10th_may.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4472783/normal_602c42baea50d.pdfIn PDF document text
  • http://www.ascendercorp.com/In PDF document text
  • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
  • https://37bcb4aa-7747-4ff6-a352-0e22bf983c21.filesusr.com/ugd/4393d3_06e0e392f6e5420cbb89a4155b11b831.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/3a190a31-7ac8-48da-80c9-cb455dd5f9ea/18599059413.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/73a5b134-1067-43b9-ba77-6cff198a8746/23859960321.pdfIn PDF document text
  • https://ebbb41b5-b8b7-4bfc-9e1b-23e79ad93844.filesusr.com/ugd/5eba67_0f9df4594bb847bb9bc7bc398127eeaa.pdf?index=trueIn PDF document text
  • https://6f672a44-e16c-4921-a0f1-e3781c0647c5.filesusr.com/ugd/bda22a_334d9f7b82374398b11b1210e9ee97c7.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/adfa373c-6ffb-4306-be4b-93b960546912/vazirodozawidefajifu.pdfIn PDF document text
  • https://8e6fe9cb-6e01-49b8-a8bf-add1d7538daa.filesusr.com/ugd/4e948c_f6a35d12b0794f22b9bb506f132048c5.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/9bfba871-1c0d-40c8-8f73-88285f19d686/how_to_program_a_chamberlain_clicker_garage_door_remote.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/404a8967-8245-409b-b2a6-df9bdff06154/kozubebabutobovegiwix.pdfIn PDF document text
  • https://13a7c488-548c-4b48-b567-d2b0b9a3e1de.filesusr.com/ugd/85d67f_2ac31e6c53d4442286d369f08ab7203b.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/ea6f06e5-ff0d-4107-9312-69a9b0cdb409/noral.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/1d030624-2e1f-4a56-aa62-ffded432cdb1/4058881766.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/61ecf71d-ff6e-4196-8ea0-853f61083ecc/introduction_to_the_calculus_of_variations_and_its_applications_wan.pdfIn PDF document text
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://scripts.sil.org/OFLIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.