Malicious PDF — malware analysis report

Heuristics 5

• ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://catamma.ru/uplcv?utm_term=calendar+2019+greece+pdf

  • http://www.lightingandhvacexpo.com/wp-content/plugins/super-forms/uploads/php/files/72d02e617f9bc0027b522bf8df6a525a/23669650383.pdf
  • http://strandedtattoo.net/file/10838720017.pdf
  • http://blog.crowdly.com/wp-content/plugins/formcraft/file-upload/server/content/files/160775a4bad356---mulalevekuzaxuradibajawir.pdf
  • https://bodwellassociates.com/wp-content/plugins/super-forms/uploads/php/files/dabd6330d65d0e91d68c0b75b1b43a7f/vuturetolinezotogili.pdf
  • https://best-turbos.com/wp-content/plugins/super-forms/uploads/php/files/c22c5442528b5ad92f3c9b2f287d9677/26684419874.pdf
  • https://deewo.de/wp-content/plugins/formcraft/file-upload/server/content/files/16084d159d4512---33114205181.pdf
  • https://iamluno.com/wp-content/plugins/formcraft/file-upload/server/content/files/16076056311da3---zefixajiv.pdf
  • https://www.crossfitparamaribo.com/wp-content/plugins/formcraft/file-upload/server/content/files/160773e59e251d---rugunux.pdf
  • https://loan-financial.com/wp-content/plugins/super-forms/uploads/php/files/d7b4ffff7f95732ff035439fe660fac0/rapamadajenajufu.pdf
  • https://amalighting.com/wp-content/plugins/super-forms/uploads/php/files/59f5e38320b276fc0d462843514f19be/doxajegugisulugaz.pdf
  • http://lushexperiences.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606c8f63e021c---97993132547.pdf
  • https://balance-global.com/wp-content/plugins/super-forms/uploads/php/files/4gi8uoj6bjlbmjgfp66dssipcp/89172152063.pdf
  • https://www.parkgest.ch/wp-content/plugins/formcraft/file-upload/server/content/files/1606d13b13f14b---52690555561.pdf
  • https://www.burit.net/wp-content/plugins/formcraft/file-upload/server/content/files/16079d11cd07fd---welozarapojilizefudaxek.pdf
  • https://leunamgroup.com/wp-content/plugins/super-forms/uploads/php/files/f800b4015038510061c168741213929f/78939240370.pdf
  • http://www.ascendercorp.com/
  • http://www.ascendercorp.com/typedesigners.html
  • http://scripts.sil.org/OFL

Open this report in the interactive analyzer, or submit your own file for analysis.