Malicious PDF — malware analysis report

Heuristics 5

• ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://catherinehourihan.art/wp-content/plugins/super-forms/uploads/php/files/1155800fbe4c967f08b6f00f5c6feeb6/90015254192.pdf

  • http://www.ibadirect.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607254d160875---67265304813.pdf
  • http://www.optionassurance.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1607193d9671dc---64656929822.pdf
  • https://www.icslights.com/wp-content/plugins/super-forms/uploads/php/files/18ba4e28a7d53b4cd0e03081c7524697/nolimume.pdf
  • https://westcoastmovers.ca/wp-content/plugins/super-forms/uploads/php/files/j605mtbqbreu0ckpr6a8htnp9u/41894331025.pdf
  • http://pavcargo.ru/wp-content/plugins/super-forms/uploads/php/files/3ebe0a918148b794fec4c5b4745c544d/23534580371.pdf
  • https://www.travelticket.com.au/wp-content/plugins/super-forms/uploads/php/files/f23qbiot6bht0vmn5aou1l3dk2/pesaripasuxekuw.pdf
  • http://texmet.pl/userimages/file/gozemebogo.pdf
  • https://www.ciabrini-immobilier.com/wp-content/plugins/super-forms/uploads/php/files/gdjmdkmoklpgb8e6l6ppdunarb/kexilub.pdf
  • http://sylvianapoles.com/clients/e/e6/e63d90d46a840f0b3195f531cec11f6e/File/34234410812.pdf
  • http://www.ponderosafestival.com/wp-content/plugins/formcraft/file-upload/server/content/files/16071b490ca6e3---98334529997.pdf
  • https://guapa2.com/admin/fck/file/64176859884.pdf
  • https://envomask.com/wp-content/plugins/super-forms/uploads/php/files/6b23342a8093e5f366f1056ba51a1ade/majizojaxadefapudejowi.pdf
  • https://moniimpex.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608a725822d8f---97572431575.pdf
  • https://allianceflooring.net/wp-content/plugins/super-forms/uploads/php/files/9c6dd277b45cdfbd52e08b1f2063fe69/pajinabin.pdf
  • https://sellerflows.com/wp-content/plugins/super-forms/uploads/php/files/bbb11a2902aff72c0a1fdd243590170b/34753518834.pdf
  • http://www.ascendercorp.com/
  • http://www.ascendercorp.com/typedesigners.html
  • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/1xuhb7AK25c/uplcv?utm_term=gta+v+fastest+car+cheat+code
  • http://scripts.sil.org/OFL

Open this report in the interactive analyzer, or submit your own file for analysis.