Malicious PDF — malware analysis report

Heuristics 5

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://akarchlight.com/wp-content/plugins/super-forms/uploads/php/files/97f5f7fe15cbaf5a3627b6b5474159d4/67144052601.pdf

  • https://f1com.ge/wp-content/plugins/super-forms/uploads/php/files/999aea9fed0b0ce944479ed80f2cce5f/gewavelafudabajisef.pdf
  • https://www.popcaffe.it/wp-content/plugins/super-forms/uploads/php/files/08040c098d65661de06d9d4b666ce289/mutemi.pdf
  • https://agrilaui.com/userfiles/file/27113876065.pdf
  • https://arerp.kr/data/file/%5C/bumilikagamagonuwufaz.pdf
  • http://architects-desk.com/uploadsfile/baxusedur.pdf
  • https://bamfieldrental.com/userfiles/file/37080280825.pdf
  • http://trenermichal.pl/wp-content/plugins/formcraft/file-upload/server/content/files/160a8315c25dca---vorinoxudexupisutemu.pdf
  • http://vibrosystem.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160712737af1e6---zowoxovizimimunefigidaxok.pdf
  • https://nceptionsolutions.com/wp-content/plugins/super-forms/uploads/php/files/6b590bb82cfebdb689388adac1298abc/sakid.pdf
  • https://drmiamiconnect.com/wp-content/plugins/super-forms/uploads/php/files/1e844a01d06f37f400a0b8102af33aaa/65637021412.pdf
  • https://lawpropertyconsultants.co.uk/wp-content/plugins/super-forms/uploads/php/files/lf7i6n4j8vta6enuin0kf1c35q/wetugu.pdf
  • http://boulderdivorcelaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607e26a1eefcd---71352242078.pdf
  • https://www.numberoneporthill.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/16080e92bd45ea---basajuvudixalidetozub.pdf
  • https://camile.vn/wp-content/plugins/super-forms/uploads/php/files/lhoi30v491np3p7r9ekb1tc31b/46766735642.pdf
  • https://unique.global/wp-content/plugins/super-forms/uploads/php/files/203351429b7c08668b45278755dd8343/fuvevun.pdf
  • https://freedomtampons.com/wp-content/plugins/super-forms/uploads/php/files/d511290e53b5a7cc5aa3f108c04de0b1/xunumasijapubowibuwev.pdf
  • http://www.ascendercorp.com/
  • http://www.ascendercorp.com/typedesigners.html
  • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/FevRqgeaUVY/uplcv?utm_term=que+signo+del+zodiaco+es+17+de+diciembre
  • http://scripts.sil.org/OFL

Open this report in the interactive analyzer, or submit your own file for analysis.