Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://deewo.de/wp-content/plugins/formcraft/file-upload/server/content/files/160822d3f4226a---55920008864.pdf In PDF document text

  • https://globalclassic.org/wp-content/plugins/super-forms/uploads/php/files/g6qqnkubaoa15h3c6hfopn2dle/wovabipajilotibutufe.pdfIn PDF document text
  • http://cetinelektrik.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/16076cf8f44119---63633428461.pdfIn PDF document text
  • https://vetamblj.si/ckfinder/userfiles/files/wupog.pdfIn PDF document text
  • http://www.fliesen-brill.de/wp-content/plugins/formcraft/file-upload/server/content/files/16094c6224a255---23828696754.pdfIn PDF document text
  • https://conexus-study-abroad-travel.com/ckfinder/userfiles/file/gojezoluburamabi.pdfIn PDF document text
  • http://willtorock.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607d4f6c9a23c---waxeleden.pdfIn PDF document text
  • http://drivingschool-brno.eu/files/wetadasab.pdfIn PDF document text
  • https://alenakovalchuk.ru/wp-content/plugins/super-forms/uploads/php/files/5af391877c91e2cfbc6e4167121a9fa3/24167557036.pdfIn PDF document text
  • http://liccuza.ro/stiri_files/file/vuken.pdfIn PDF document text
  • https://dermo.com/wp-content/plugins/formcraft/file-upload/server/content/files/160790e2b83285---xalujapobabot.pdfIn PDF document text
  • https://amirep.com/wp-content/plugins/super-forms/uploads/php/files/c1aa0ba86d5e71a7889cdde5588cfa22/joxaxekujasurekojurakak.pdfIn PDF document text
  • http://parkwestresidences.com/wp-content/plugins/formcraft/file-upload/server/content/files/160f636f8440de---8338331251.pdfIn PDF document text
  • http://melly-incendie.fr/img_db/56384682251.pdfIn PDF document text
  • https://inchirieriavioane.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160bb80b8a852b---gilijosifi.pdfIn PDF document text
  • https://www.yoursurveysurveyors.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160998e10dfbbe---delulibodu.pdfIn PDF document text
  • http://ineke-ott.nl/keramiek-beelden-imagesfile/bebigumatapojubavibisej.pdfIn PDF document text
  • https://kvgrup.com.ua/wp-content/plugins/formcraft/file-upload/server/content/files/1609c702d19474---bogabesuxuvavetas.pdfIn PDF document text
  • http://dsagco.com/Upload/file/36190392465.pdfIn PDF document text
  • https://www.icslights.com/wp-content/plugins/super-forms/uploads/php/files/effebaf61afe69e1fe87e3532175ed0f/lajovomelekaborijew.pdfIn PDF document text
  • https://action-roofing.com/wp-content/plugins/super-forms/uploads/php/files/f4ff6c03ba846b21d656ff6c09243b7a/rijirikemawejosoru.pdfIn PDF document text
  • http://archerelectricsupply.com/userfiles/file/32620787507.pdfIn PDF document text
  • http://ytovietnam.net/ckfinder/userfiles/files/37600925432.pdfIn PDF document text
  • https://makemycake.gr/wp-content/plugins/super-forms/uploads/php/files/56m9k07utvc0paskhe9g1m7nk1/dodurivogawivowux.pdfIn PDF document text
  • https://joefairless.com/wp-content/plugins/super-forms/uploads/php/files/71450f04abf17434420abbabf01ad7cc/77420002642.pdfIn PDF document text
  • https://feedproxy.google.com/~r/skout/mBVl/~3/GLLx1DTH0VQ/uplcv?utm_term=laboratory+experiments+in+microbiology+11th+edition+pdf+downloadPDF link annotation
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://dejavu.sourceforge.netIn PDF document text
  • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.