Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://nipisod.ru/aws?utm_term=sat+reading+sample+test+pdf PDF link annotation

  • https://wipusometava.weebly.com/uploads/1/3/4/8/134846349/3479709.pdfIn PDF document text
  • https://static.s123-cdn-static.com/uploads/4493282/normal_5ffb58bed9aaf.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4449771/normal_6039a13f42cd7.pdfIn PDF document text
  • https://mirulunus.weebly.com/uploads/1/3/1/1/131164386/dalijipo-madoz-gutikovunilitu-burabamakilizuf.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4367277/normal_6046b6746d338.pdfIn PDF document text
  • http://bit7.top/what_games_were_in_the_ancient_greek_olympicskb7uy.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4489237/normal_5fd3386c9e249.pdfIn PDF document text
  • http://storedubai.shop/wulotesilukanekopuxa5gzzh.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4450427/normal_603262b5480db.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4377662/normal_6025802008c16.pdfIn PDF document text
  • http://1xbets-regs.site/movusosuxituxubokexopajjpca.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4452389/normal_6033217f126c1.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4370762/normal_603f6a4260478.pdfIn PDF document text
  • https://rojofasefimo.weebly.com/uploads/1/3/1/6/131636828/2ebb08bfbd08.pdfIn PDF document text
  • https://static.s123-cdn-static.com/uploads/4501993/normal_5fd08e85781bb.pdfIn PDF document text
  • https://tamaxanafe.weebly.com/uploads/1/3/1/8/131856242/tanot.pdfIn PDF document text
  • https://wavoxodasamemat.weebly.com/uploads/1/3/5/3/135348105/razubude.pdfIn PDF document text
  • http://www.ascendercorp.com/In PDF document text
  • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
  • https://40e214c1-1950-44e8-a195-e2c6eeb23253.filesusr.com/ugd/a517f4_2cdc3de68bf14f0486c11901609a54bb.pdf?index=trueIn PDF document text
  • https://6ec3981f-6443-463b-a164-91fc69f101d9.filesusr.com/ugd/7603ae_23825cfbcb3c47e6b536d705d88bee57.pdf?index=trueIn PDF document text
  • https://367e539a-c541-4439-991c-4bf2bef2aa7a.filesusr.com/ugd/77d535_57c9232cf4674179bf0aceb56b45616d.pdf?index=trueIn PDF document text
  • https://ec8c99fd-5413-4e38-b6a0-2ccbba71fc6f.filesusr.com/ugd/de02f3_c49657636c3e44beaee0f68e29e2028a.pdf?index=trueIn PDF document text
  • https://ad843f61-c544-48d7-8cfb-3c048b9edb46.filesusr.com/ugd/0dd9ed_310833d8110f475c8296ebd8264b0404.pdf?index=trueIn PDF document text
  • https://18b62485-dce0-4e35-9712-b1d1f13fcb23.filesusr.com/ugd/296484_abf5bd3e719d4799bb7769e274594a40.pdf?index=trueIn PDF document text
  • https://37bcb4aa-7747-4ff6-a352-0e22bf983c21.filesusr.com/ugd/4393d3_68af02a658ac4e26a5779aa6d005fafb.pdf?index=trueIn PDF document text
  • https://3e80c8bf-0031-4ca1-bfa9-4484641fefed.filesusr.com/ugd/08103e_c05a2f554cfa49679d0078a9dbc829c6.pdf?index=trueIn PDF document text
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://scripts.sil.org/OFLIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.