Malicious PDF — malware analysis report

Heuristics 5

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://nomylo.ru/uplcv?utm_term=periodic+table+of+elements+crossword+puzzle

  • https://haps.company/wp-content/plugins/super-forms/uploads/php/files/4c4llqkvgqjpemoja5ucd8q407/37792893310.pdf
  • http://stkvn.ru/wp-content/plugins/super-forms/uploads/php/files/72dcdb417e3963800c6684ca40c2e954/44335991957.pdf
  • http://www.julitolaschools.com/wp-content/plugins/formcraft/file-upload/server/content/files/16086167602045---fepawilubefabomijovon.pdf
  • http://rheinmotel.com/userfiles/file/zudemejegiwuvo.pdf
  • https://veglifekc.org/wp-content/plugins/super-forms/uploads/php/files//wukovawubezunovuve.pdf
  • http://heritagecarletonplace.com/clients/c/c2/c23aa4fb54f25340752d20cfcff880b2/File/nugaweja.pdf
  • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/16092b34407ba7---10457851307.pdf
  • http://training-solutions.ro/wp-content/plugins/formcraft/file-upload/server/content/files/16080e07890acf---64970190519.pdf
  • https://thriveelearning.com/wp-content/plugins/super-forms/uploads/php/files/8e5fb8d9de2ac0ba86c108676d8323c7/23368748505.pdf
  • http://nicenpos.com/userData/board/file/93934741442.pdf
  • https://www.keystonecare.co.uk/wp-content/plugins/super-forms/uploads/php/files/48592aca03df35b53def33db85d5af23/67380013093.pdf
  • https://www.gsccn.it/wp-content/plugins/formcraft/file-upload/server/content/files/160b05c2de546a---45621885738.pdf
  • https://living-stone.lu/userfiles/files/lijavufizajije.pdf
  • https://engineeredrepinc.com/wp-content/plugins/super-forms/uploads/php/files/cca493d065792aa5b9fe0bd6e190a643/9434509592.pdf
  • https://www.acptechnologies.com/wp-content/plugins/formcraft/file-upload/server/content/files/16089d2128a78f---68877359116.pdf
  • https://webmodels.studio/wp-content/plugins/formcraft/file-upload/server/content/files/160b5d7315d5f6---notopakugilutekasefe.pdf
  • http://www.ascendercorp.com/
  • http://www.ascendercorp.com/typedesigners.html
  • http://scripts.sil.org/OFL

Open this report in the interactive analyzer, or submit your own file for analysis.