Malicious PDF — malware analysis report

Heuristics 7

• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
  Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
• ClickFix social engineering attack high SE_CLICKFIX
  Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://midufefew.ru/wix?keyword=zelda+oot+randomizer+multiplayer

  • http://bikejesoxatelo.mygamesonline.org/gagowob.pdf
  • https://cdn.sqhk.co/zesonixiv/T2Wupje/milesosavulok.pdf
  • https://lilugotowo.weebly.com/uploads/1/3/2/7/132711957/zikilabigefe-vorofap-vukob-doligila.pdf
  • https://fogufapepupol.weebly.com/uploads/1/3/1/8/131871477/mobixojerilawi.pdf
  • https://mebodamuruwij.weebly.com/uploads/1/3/5/4/135400263/fiwolixavuv.pdf
  • https://jipuziloki.weebly.com/uploads/1/3/2/6/132695969/lalarozobob.pdf
  • https://cdn.sqhk.co/sixojifez/Cgcjdgc/jejufekuti.pdf
  • http://www.ascendercorp.com/
  • http://www.ascendercorp.com/typedesigners.html
  • https://1527c8d3-3321-4e9f-872f-e2bebb57bac2.filesusr.com/ugd/bf2d42_27fa83ab9c3749a1965ee37e00dfb869.pdf?index=true
  • https://uploads.strikinglycdn.com/files/c35a9d98-f360-46cd-a7a5-a2cb3eb88cde/57017996172.pdf
  • https://67389751-14cc-4ed3-b660-7ef7239e4cc3.filesusr.com/ugd/bb5584_8b262c6f963f4bcca99403068b5e57a6.pdf?index=true
  • https://uploads.strikinglycdn.com/files/78424d9e-7d85-4985-b7ba-4e06dc702b87/taco_bell_double_chalupa_box_calories.pdf
  • https://abaaaae4-9231-44fc-b12c-ad55ebcc68e7.filesusr.com/ugd/2ca09c_8a5247eefe0b4227914c934c4bbf46ea.pdf?index=true
  • https://16dc6c2a-32e3-4a69-9eea-5b59d93654f8.filesusr.com/ugd/176c29_92880b5179064443b7992090101098cb.pdf?index=true
  • https://uploads.strikinglycdn.com/files/7e92f647-5f40-4f30-9143-54b425d4cb00/boy_scout_store_tulsa_oklahoma.pdf
  • http://xusapibu.onlinewebshop.net/bokanejizomulekojeguro.pdf
  • https://uploads.strikinglycdn.com/files/047a480a-4d11-4e14-bfec-ab44a4ff7ffa/pattys_charcoal_drive_in.pdf
  • https://uploads.strikinglycdn.com/files/46ebd962-813c-4dda-9bb3-2d06f4b2f5b4/temple_of_sethraliss_mythic_keystone.pdf
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://scripts.sil.org/OFL

Open this report in the interactive analyzer, or submit your own file for analysis.