Malicious PDF — malware analysis report

Heuristics 6

• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://ponafet.ru/wix?keyword=cronicas+de+una+muerte+anunciada+sinopsis

  • http://jemulobapamiwu.mywebcommunity.org/zerofipovepigotupoxideged.pdf
  • http://xeratigike.medianewsonline.com/2457127858.pdf
  • https://fakavenudir.weebly.com/uploads/1/3/4/0/134042443/xibuduzaf.pdf
  • https://vifiboreb.weebly.com/uploads/1/3/5/3/135349596/968426.pdf
  • http://www.ascendercorp.com/
  • http://www.ascendercorp.com/typedesigners.html
  • https://146c8b6c-0b46-450b-8ed0-b45f1e2a4974.filesusr.com/ugd/b58d21_8ca5854ec18e4299971a4257984505e4.pdf?index=true
  • https://441768bb-9839-4df4-8f78-dd1233b527f6.filesusr.com/ugd/7e6080_933e0bb61d3f483caccccfa9b4f79eab.pdf?index=true
  • https://s3.amazonaws.com/verirejon/big_easy_turkey_fryer_assembly_instructions.pdf
  • https://uploads.strikinglycdn.com/files/cc70424d-0d2e-46d2-9585-ec70a925c2a2/73170081864.pdf
  • https://s3.amazonaws.com/gazijewevan/pepefoxi.pdf
  • https://77483064-5892-4b52-b419-66e751946b77.filesusr.com/ugd/ef7b09_6cdae917d95e466a91f56cf67403fc2a.pdf?index=true
  • http://dubanexotokegel.myartsonline.com/61306409947.pdf
  • https://02687da8-bf2b-436b-a8ca-82c6e04513a5.filesusr.com/ugd/e48f8a_c5a44abed77d4aeea17c4bc8229d631e.pdf?index=true
  • https://uploads.strikinglycdn.com/files/d9a0fa53-6118-4592-a5b4-bcea77fa25d6/wowoku.pdf
  • https://74269c25-1731-4359-90d4-804f54ef9c1c.filesusr.com/ugd/b5973a_3c8fdb5c52394cc1b43acd976702c81d.pdf?index=true
  • https://uploads.strikinglycdn.com/files/18a53651-501d-4ca2-b4e6-d8162de14a7d/math_kangaroo_usa_questions.pdf
  • https://6f465708-eb37-4ee2-8658-ebeec6cd93ea.filesusr.com/ugd/4bb103_ad8d732dc77043a887ad56701333ab56.pdf?index=true
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://scripts.sil.org/OFL

Open this report in the interactive analyzer, or submit your own file for analysis.