Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
• Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
  PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://accesoriosalmayor.com/images/userfiles/file/jatezix.pdf In PDF document text

  • http://xn--80aafbanafwvcftiqfecrg2a.xn--p1ai/pict/file/68316834340.pdfIn PDF document text
  • http://www.auditsi.com/wp-content/plugins/formcraft/file-upload/server/content/files/16097cd897ac57---70855392582.pdfIn PDF document text
  • https://aneri12.cz/res/file/73657642031.pdfIn PDF document text
  • http://counterreaction.net/wp-content/plugins/formcraft/file-upload/server/content/files/160aab8bb4448b---vomutugolanameravalupipek.pdfIn PDF document text
  • http://wf515345.tw/CKEdit/upload/files/bunilipewis.pdfIn PDF document text
  • https://trucraftsmanship.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607365f6b28d6---29633777137.pdfIn PDF document text
  • https://aimhc.com/userfiles/file/bebozabizijigarelexobex.pdfIn PDF document text
  • https://soudurelausiere.ca/upload/editor/file/takumelutexusoduv.pdfIn PDF document text
  • https://djhelaly.com/wp-content/plugins/super-forms/uploads/php/files/9b7b0f276f2c5fceafc8370154837bdf/palilivovewatipero.pdfIn PDF document text
  • https://apoc.com.au/wp-content/plugins/super-forms/uploads/php/files/bd7dab8642c436f22d64f4cd83e13413/wiriwolukotapumibifetu.pdfIn PDF document text
  • http://computerdoki.hu/user/file/burosotoxoberugumezomi.pdfIn PDF document text
  • http://www.cuerpomenteyespiritu.es/wp-content/plugins/formcraft/file-upload/server/content/files/1607e33a3cd5f8---52374897280.pdfIn PDF document text
  • https://propbrains.com/wp-content/plugins/super-forms/uploads/php/files/ss4o9fbqtro5lnc2quq4krgel7/funamasibazedop.pdfIn PDF document text
  • http://www.gcsystem.pl/wp-content/plugins/formcraft/file-upload/server/content/files/16078a07414fba---82362417880.pdfIn PDF document text
  • http://sip7.online/wp-content/plugins/super-forms/uploads/php/files/e8d083d571e855cc1d50ff551d904ee4/babifoxevabejutisodoken.pdfIn PDF document text
  • http://mini-garden.ru/userfiles/file/23865673179.pdfIn PDF document text
  • https://jiptv.nl/wp-content/plugins/super-forms/uploads/php/files/2ianpfd2l7n9vpd5g04c8uc72a/42257224956.pdfIn PDF document text
  • https://www.costaverde.it/wp-content/plugins/formcraft/file-upload/server/content/files/160963a4031647---wibiziwababigokavofo.pdfIn PDF document text
  • https://athensviptour.com/wp-content/plugins/super-forms/uploads/php/files/ea1caac9ed53646fe0e07f84e710b225/moresewomujebotozibijob.pdfIn PDF document text
  • https://www.msolartop.cz/wp-content/plugins/formcraft/file-upload/server/content/files/1609c95c78042f---pejaxeki.pdfIn PDF document text
  • https://www.hausbootgeiseltalsee.de/wp-content/plugins/super-forms/uploads/php/files/5snumr1aqorg517vscfb929bcd/21951659724.pdfIn PDF document text
  • http://axiomestates.com/userfiles/file/makuwifusuzufenina.pdfIn PDF document text
  • http://arch-teh.com/pic/userfile/nowiwovoxidoko.pdfIn PDF document text
  • https://tipresentoio.it/images/file/kavigeketuxivujovavakevid.pdfIn PDF document text
  • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/zMnd8XtcwSM/uplcv?utm_term=the+prophecy+of+malachiPDF link annotation
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://dejavu.sourceforge.netIn PDF document text
  • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.