Malicious PDF — malware analysis report

Heuristics 6

• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• Embedded JS stream low PDF_JS
  PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://smidgel.ru/uplcv?utm_term=lightroom+cc+premium+apk+3.6+free+download PDF link annotation

  • http://www.bongbansaigon.com/uploads/files/ligobevavesapot.pdfIn PDF document text
  • http://pinturasoltra.com/images/slider/files/vorimuv.pdfIn PDF document text
  • http://commissioncollectionlaw.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/tipetowowavo.pdfIn PDF document text
  • https://www.fishhabitatnetwork.com.au/application/third_party/ckfinder/userfiles/files/88324817696.pdfIn PDF document text
  • http://perechen-jurnalov.ru/js/ckfinder/userfiles/files/92766449679.pdfIn PDF document text
  • http://otvorene-srdce.sk/userfiles/file/41132432527.pdfIn PDF document text
  • http://tweddlefoto.com/files_contenidos/upload/files/7279736210.pdfIn PDF document text
  • http://speckletrack.com/update/editor/file/tisozagimabod.pdfIn PDF document text
  • http://cobe-ing.it/userfiles/files/sitalinesamipiwukav.pdfIn PDF document text
  • https://xn--22ck6bdp5cach0mc23a.com/ckfinder/userfiles/files/vulokazedum.pdfIn PDF document text
  • https://bgg.pirkitpadangas.lt/ckfinder/userfiles/files/67313376275.pdfIn PDF document text
  • http://eco-versute.com/app/webroot/ckfinder/userfiles/files/pavupemesemezudurujavetad.pdfIn PDF document text
  • http://dentherapia.hu/files/file/kudaxixevexoselimizis.pdfIn PDF document text
  • https://nceptionsolutions.com/wp-content/plugins/super-forms/uploads/php/files/34844809b7be36a0962311a38f28b554/togin.pdfIn PDF document text
  • http://nsk-nalogov.net/upload/files/67803879311.pdfIn PDF document text
  • https://pushtypathshala.com/demo/aims/files/images/files/68052582969.pdfIn PDF document text
  • http://dragonera.cn/admin/userfiles/file/xudedaz.pdfIn PDF document text
  • http://mecaniquekd.ca/upload/file/73632187703.pdfIn PDF document text
  • http://whitedwarf.ru/public/images/ckfinder/files/pigebix.pdfIn PDF document text
  • https://digireg.ch/upload/56089464443.pdfIn PDF document text
  • https://t4g.nasscomfoundation.org/wp-content/plugins/super-forms/uploads/php/files/3rokd0on39v0rcr7ulsc7fed66/dasafidovebabazawufuxizeg.pdfIn PDF document text
  • http://96stone.ru/userfiles/file/notanapavumotevuteteb.pdfIn PDF document text
  • https://peoplehelppeople.net/uploads/File/8492387941.pdfIn PDF document text
  • https://gresathouse.com/wp-content/plugins/super-forms/uploads/php/files/a607ab6c8f5d924012c919ce7fcaa7e9/74983029803.pdfIn PDF document text
  • http://rheinmotel.com/userfiles/file/21680163442.pdfIn PDF document text
  • https://ajwatravel.com/wheelmarine/userfiles/file/5246959473.pdfIn PDF document text
  • http://diagonal.org.ar/wp-content/plugins/formcraft/file-upload/server/content/files/1613a9c2b73991---69181443496.pdfIn PDF document text
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://dejavu.sourceforge.netIn PDF document text
  • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.