Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://mezovuduw.ru/wix?keyword=what+direction+is+the+wind+blowing+today PDF link annotation

  • https://jupurelapuloful.weebly.com/uploads/1/3/3/9/133997255/fizebazipej_sagip_zexuso_jafusebaso.pdfIn PDF document text
  • https://wafugavewe.weebly.com/uploads/1/3/4/3/134369352/c519b88.pdfIn PDF document text
  • https://bobidowi.weebly.com/uploads/1/3/2/7/132740787/2136687.pdfIn PDF document text
  • https://tezilejesitox.weebly.com/uploads/1/3/1/1/131163634/1077013.pdfIn PDF document text
  • http://www.ascendercorp.com/In PDF document text
  • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
  • https://b32521b7-32ca-447e-9967-d27d0dce683d.filesusr.com/ugd/800b88_7d2c5261cf8643dca675153da839b69e.pdf?index=trueIn PDF document text
  • https://ac09d6fb-20d1-47e2-97cb-2568fc137cdf.filesusr.com/ugd/03dcd4_5545f18091e74c65a1cb6b116cd99152.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/1697e824-b3b6-41fe-b418-1376dda90bd0/how_to_reset_tire_pressure_light_on_jeep_grand_cherokee_2013.pdfIn PDF document text
  • https://8d59741e-369e-44be-b01e-8fbcb09d2d01.filesusr.com/ugd/7cefa9_e4bfb5016c89479a8197b601e29f2938.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/79a10430-c9c4-4cc2-9373-8d44bb15911e/how_do_you_clean_a_dyson_vacuum_filter.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/d4ed048e-9e7c-4021-b096-8de021a01d9e/1626091641.pdfIn PDF document text
  • https://b66a6cc6-7028-4fd7-9d19-084b2b27c535.filesusr.com/ugd/4015cf_f4b7c4c648d74985b8c6e83e54a5af07.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/d7bf8fd7-63eb-43e6-9362-0c6f0c03655f/72645639545.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/7fdae088-fb03-4c27-9487-9a354999792e/the_maze_runner_series_explained.pdfIn PDF document text
  • https://937a8a2d-b41a-4163-aff8-eda6db263557.filesusr.com/ugd/21e6f2_35aea7f26bf8402a849394ba46798392.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/cae771e6-e41c-4dd1-a167-d2d7f3968480/sennheiser_ew_100_g4-me2-g.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/c31dd2d2-2aa3-41d7-9929-cadfa6d7568b/can_you_get_procreate_on_windows_10.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/d6d77206-fdad-4a91-afa7-b6a19e9014d4/faxabep.pdfIn PDF document text
  • https://89511c73-251b-4bee-a1a5-5f4bd4863124.filesusr.com/ugd/f24cb8_0140adc87eb74fe29be8a0e727154941.pdf?index=trueIn PDF document text
  • https://063758de-fb2f-4258-809e-b727485bfd5a.filesusr.com/ugd/89cda4_7c1a3a4fd1ea43298ced7f051e79e7ad.pdf?index=trueIn PDF document text
  • https://5c71d6b4-13b5-43a2-97a4-9a0eba4d0f4d.filesusr.com/ugd/0f1814_ffa1bdcf1eab49acb3c242195c0c505c.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/2637fe1e-625c-44ea-8139-08fc5c44c174/food_stamp_office_phone_number_bryan_tx.pdfIn PDF document text
  • https://28ae28a3-27cc-4d38-be83-0de1f6925f83.filesusr.com/ugd/454016_6b7129d894e14f9d8f1534092fdbc0c9.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/000b36e3-6378-4152-8ddf-44ebb5f3f279/gevexunulevenokafidifi.pdfIn PDF document text
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://scripts.sil.org/OFLIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.