Malicious PDF — malware analysis report

Heuristics 7

• ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• Brand-impersonation credential phishing lure critical SE_BRAND_CREDENTIAL_PHISH
  Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: action link to abused redirector https://minufagotokuwak.weebly.com/uploads/1/3/4/4/134489045/zadafuzadu-kewinelo.pdf.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://mezovuduw.ru/strik?utm_term=hotel+front+desk+supervisor+job+description PDF link annotation

  • https://cdn.sqhk.co/zogowefu/h0jggjq/tixesimiwepokotegek.pdfIn PDF document text
  • https://cdn.sqhk.co/lasumalena/ggwDhdC/quimchee_curious_cat_answers.pdfIn PDF document text
  • https://cdn.sqhk.co/vumivatuvi/MOgiMfo/kung_fu_zoom.pdfIn PDF document text
  • https://cdn.sqhk.co/penazavoxu/gbchflh/dessert_recipes_using_gluten_free_flour.pdfIn PDF document text
  • https://minufagotokuwak.weebly.com/uploads/1/3/4/4/134489045/zadafuzadu-kewinelo.pdfIn PDF document text
  • https://cdn.sqhk.co/duzefodaf/iEyjghc/jalanojowubepawe.pdfIn PDF document text
  • https://cdn.sqhk.co/jusupovexewa/gey0hba/okc_thunder_rumors_2020.pdfIn PDF document text
  • https://cdn.sqhk.co/sesexibanobu/thfSUjh/79733147783.pdfIn PDF document text
  • https://cdn.sqhk.co/lanumakefu/biggf1U/game_of_thrones_cast_season_2_episode_6.pdfIn PDF document text
  • https://cdn.sqhk.co/buzulexoxuve/haIjihi/fashion_designer_world_tour_cheats.pdfIn PDF document text
  • https://tofavasexivefet.weebly.com/uploads/1/3/4/5/134578877/risuzusezuxugogavap.pdfIn PDF document text
  • https://tomoniwibisuxis.weebly.com/uploads/1/3/5/9/135961627/vajevu_rinowasobapoxu_ropew.pdfIn PDF document text
  • http://www.ascendercorp.com/In PDF document text
  • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
  • https://486bfeb6-87d8-40a3-812f-3449909c9139.filesusr.com/ugd/81b904_8e8630fcde1047f5b8953b7ee559df88.pdf?index=trueIn PDF document text
  • https://148d48ef-a78d-4e34-a4d2-755cfbac042a.filesusr.com/ugd/ccca9b_1f6437a20cf54dd28bfe2b9db372c9aa.pdf?index=trueIn PDF document text
  • https://a91f1da9-0b84-486d-9199-d95c2ecdf19f.filesusr.com/ugd/82421a_6da20d0e12964b619b9d0559ecaccd02.pdf?index=trueIn PDF document text
  • https://71da2aa5-51c3-4f2c-ab18-08bbbad20131.filesusr.com/ugd/d216cb_c6653ec6c4cf4ea1b9f2c7d57d5c039a.pdf?index=trueIn PDF document text
  • https://s3.amazonaws.com/rutufokedizon/fomakaloxedesekukog.pdfIn PDF document text
  • https://cfc603e6-7cd4-4c42-812b-9722deb80ae4.filesusr.com/ugd/0e9fc2_52874c901a934fa5b0f0dee1d8bc33fb.pdf?index=trueIn PDF document text
  • https://ad858f6a-7bbb-416d-9365-e04d7986ed9b.filesusr.com/ugd/3c9ac1_2cd79c0db1ab4e57bdfc0755103bad5c.pdf?index=trueIn PDF document text
  • https://b6d28218-96ba-4f98-b9c1-0d78b4e6fe84.filesusr.com/ugd/47aa88_bcc3295c77214690846ffdb635dfac5b.pdf?index=trueIn PDF document text
  • https://s3.amazonaws.com/remufuzu/43467855068.pdfIn PDF document text
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://scripts.sil.org/OFLIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.