Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
  PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://dugedepap.ru/123?utm_term=large+fondant+bow+template PDF link annotation

  • https://cdn-cms.f-static.net/uploads/4474223/normal_5fd3722c0540e.pdfIn PDF document text
  • https://static.s123-cdn-static.com/uploads/4401723/normal_5ffff8333ad6e.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4493198/normal_600dabc31f4a2.pdfIn PDF document text
  • http://www.ascendercorp.com/In PDF document text
  • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
  • https://43a2ba88-5de9-465b-b95f-6a4d82f2d06e.filesusr.com/ugd/dcbeda_f80444844b3543028d10965823e4f42f.pdf?index=trueIn PDF document text
  • https://s3.amazonaws.com/getizar/bowepaganid.pdfIn PDF document text
  • https://f770b3d7-c897-40e0-9323-5ad0abd91552.filesusr.com/ugd/1fa6dd_42050b77664e4c3eaad80ef069d83320.pdf?index=trueIn PDF document text
  • https://44eeb0f0-4dc9-4d8b-b3fd-cc7ace98e90e.filesusr.com/ugd/a083a1_5fe8de33f2b64b2bb5674fe01bf1579f.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/693044c3-35d1-4b26-ad5f-e3caa2146472/used_icom_718_for_sale.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/82491360-7e39-45ed-a427-7b649c4e24b7/comptia_a_exam_cram.pdfIn PDF document text
  • https://07e0a16e-b77d-475b-b724-88bbaedb347c.filesusr.com/ugd/8e9e2f_600f45aaa09940fea268a980f938a646.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/ab67466e-2258-485f-9d76-fa89092f2ec7/can_iphone_6_plus_use_apple_pay.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/b9222bcd-85a7-4ffd-8e34-6c0f390620ab/home_zone_security_light_manual.pdfIn PDF document text
  • https://s3.amazonaws.com/risalenefazozo/99531593945.pdfIn PDF document text
  • https://s3.amazonaws.com/mijumomub/45821683504.pdfIn PDF document text
  • https://s3.amazonaws.com/dixaleko/distribucion_normal_estandar_z.pdfIn PDF document text
  • https://s3.amazonaws.com/taguxif/8174839791.pdfIn PDF document text
  • https://s3.amazonaws.com/daxemo/the_second_great_awakening_reform_movements.pdfIn PDF document text
  • https://e0bfa911-60eb-4c53-bd8d-ceec25156dfb.filesusr.com/ugd/0a052f_6850d019ae254c5aadc206626c4538fd.pdf?index=trueIn PDF document text
  • https://s3.amazonaws.com/panalipolifod/wamijivatupig.pdfIn PDF document text
  • https://ba428ff1-d53d-4eb5-bdb2-cc960067f420.filesusr.com/ugd/7041e4_5711f67057fe48339bce5aec66a4e487.pdf?index=trueIn PDF document text
  • https://e82ff0bd-cb1a-4782-8b92-0a0fb7657660.filesusr.com/ugd/d17951_34f60472aa124f2f83226557295cdf28.pdf?index=trueIn PDF document text
  • https://s3.amazonaws.com/bokelur/81295051765.pdfIn PDF document text
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://scripts.sil.org/OFLIn PDF document text
  • http://dejavu.sourceforge.netIn PDF document text
  • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.