Malicious PDF — malware analysis report

Heuristics 7

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
  PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Embedded JS stream low PDF_JS
  PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://sunuf.co.za/XSRYdR1H?utm_term=user+manual+for+alcatel+1+mobile+phone PDF link annotation

  • http://www.alwaysflorida.com/wp-content/plugins/formcraft/file-upload/server/content/files/1621feb8a3530c---vopujeluj.pdfIn PDF document text
  • http://formasrl.com/admin/kcfinder/upload/files/gebimora.pdfIn PDF document text
  • https://washlounge.in/ckfinder/userfiles/files/dolojebewufolivu.pdfIn PDF document text
  • http://balony.dmuchance.eu/userfiles/file/87596458419.pdfIn PDF document text
  • http://hjhchem.com/upload/files/sewesufegefugo.pdfIn PDF document text
  • https://www.zaantraining.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1620ead42f12fe---difiziwowibaso.pdfIn PDF document text
  • http://ssss-sangam.com/userfiles/file/79205411534.pdfIn PDF document text
  • https://posaonakosovu.com/ckfinder/userfiles/files/31886636542.pdfIn PDF document text
  • http://endustriyelkiralama.com/wp-content/plugins/super-forms/uploads/php/files/ppogt49do5cr3jvvs4koicmvfs/89795237916.pdfIn PDF document text
  • https://limberhurstgallery.com/imageuploads/file/56493017051.pdfIn PDF document text
  • http://dansensvenner.dk/imagesfile///wepofetub.pdfIn PDF document text
  • https://www.escolamacrobiotica.pt/backoffice/assets/js/kcfinder/upload/files/gupus.pdfIn PDF document text
  • http://jinanxintiandi.com/userfiles/files/18794471057.pdfIn PDF document text
  • http://foto-recepty.sk/images/fotky/xodurawivukujipofogege.pdfIn PDF document text
  • http://live-lessons.net/lcj/web/uploads/assets/file/perorexepen.pdfIn PDF document text
  • http://diadiemvui.com/upload/files/rotogagozerozituduze.pdfIn PDF document text
  • https://dassti.cl/admin/uploads/file/97001430331.pdfIn PDF document text
  • https://dipinkrishna.com/wp-content/plugins/formcraft/file-upload/server/content/files/162231ab4c43ed---76871974151.pdfIn PDF document text
  • http://fotofolliasanlazzaro.it/userfiles/files/76308056490.pdfIn PDF document text
  • https://maloneslandscape.com/wp-content/plugins/formcraft/file-upload/server/content/files/1622661d20960d---fojupegowuki.pdfIn PDF document text
  • https://ptsound.com/plugins/ckfinder/userfiles/files/14238915048.pdfIn PDF document text
  • http://erdelyironkbutor.hu/admin/kcfinder/upload/files/35289090555.pdfIn PDF document text
  • http://omonetach.pl/foto/ilustracje/file/tolaxapexe.pdfIn PDF document text
  • http://fructusartis.com/i/File/jatuvagid.pdfIn PDF document text
  • http://www.bash.cl/media/file/revolifoziped.pdfIn PDF document text
  • http://cleangroupbd.com/ck/upload/files/vusoribif.pdfIn PDF document text
  • http://cn-daomeng.com/upload/userfiles/files/f786210de722547e5fc87fc98cc31865.pdfIn PDF document text
  • http://loxocongnghiep.com/MINH/user_files/file/kajesoraredepa.pdfIn PDF document text
  • http://satexvernaz.fr/kcfinder/upload/files/vovigorisajumelo.pdfIn PDF document text
  • http://www.egavilanes.com/ckfinder/userfiles/files/89076852507.pdfIn PDF document text
  • https://www.veskom-slovakia.sk/gfx/administration/js/ckeditor/kcfinder/upload/files/wafinubogigatarivilaxagu.pdfIn PDF document text
  • https://dezsredstvompx.ru/wp-content/plugins/super-forms/uploads/php/files/99450c3ef7d0512fb94b55ecb99a6d85/57194922447.pdfIn PDF document text
  • http://4bx.pl/public/file/70893933255.pdfIn PDF document text
  • https://pastelbuilders.com/userfiles/file/28780757076.pdfIn PDF document text
  • http://tasfor.com/files/galeria/files/buvofipibisumefebajimo.pdfIn PDF document text
  • https://amoslodge10-org.alljobsinliberia.com/ckfinder/userfiles/files/85931762419.pdfIn PDF document text
  • http://debeleven.net/UserFiles/File/bugiriliwopesemukupesamix.pdfIn PDF document text
  • http://dothimau.vn/kcfinder/upload/files/12026395643.pdfIn PDF document text
  • https://www.hippocratio.gr/ckfinder/userfiles/files/15558353956.pdfIn PDF document text
  • https://hkparkkonutlari.com/image/files/40506026299.pdfIn PDF document text
  • https://drahmetbostanci.com/wp-content/plugins/formcraft/file-upload/server/content/files/16225a168daaa1---12339896959.pdfIn PDF document text
  • http://xn--hh0b97d8is16e.com/userData/board/file/71029938152.pdfIn PDF document text
  • http://nbaindia.nic.in/includes/ckeditor/plugins/kcfinder/upload/files/rupenobawavef.pdfIn PDF document text
  • https://hab.erdenet.mn/userfiles/files/63575044054.pdfIn PDF document text
  • http://dialog-seversk.ru/jsplugins/ckfinder/userfiles/files/39687114609.pdfIn PDF document text
  • http://heizler.hu/files/file/56999944438.pdfIn PDF document text
  • http://www.barczyk.plwww.sgpm.krakow.pl/aanewsysn/kcfinder/upload/files/77556958805.pdfIn PDF document text
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text

  +6 more URL(s)

Open this report in the interactive analyzer, or submit your own file for analysis.