Malicious PDF — malware analysis report

Heuristics 4

• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://smidgel.ru/uplcv?utm_term=android+developer+job+opportunities

  • https://www.keystonecare.co.uk/wp-content/plugins/super-forms/uploads/php/files/80a1d876c13b8050c2854da6ec9f055e/71310722318.pdf
  • http://aldo-ins.com/userfiles/file/kuzatevokeveku.pdf
  • https://floorco.allianceflooring.net/wp-content/plugins/super-forms/uploads/php/files/95f33048c0e2645bd7792892a1a8a5c5/gozodusaxezedofuvedisut.pdf
  • http://anthonyvienna.com/sites/default/files/file/dojunagitorokoni.pdf
  • http://cedresarquitectura.com/wp-content/plugins/formcraft/file-upload/server/content/files/16081ca1d4eb38---duvavisafazofajasasi.pdf
  • http://julieesteban.com/wp-content/plugins/formcraft/file-upload/server/content/files/160972b4c6157a---gavida.pdf
  • https://pensionatiitalianiinportogallo.it/wp-content/plugins/super-forms/uploads/php/files/e1ea2f0096233db84e901a3d2a352757/82818761167.pdf
  • http://yuha.be/_files/file/51714223816.pdf
  • http://www.tecnotrefg.it/wp-content/plugins/formcraft/file-upload/server/content/files/1609c4ce6a1c5d---girebegavitaxogijikitataj.pdf
  • http://boulderdivorcelaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16085ffc85fb84---906979628.pdf
  • http://ghalemdi.com/userfiles/file/84371948509.pdf
  • https://messianic.live/wp-content/plugins/super-forms/uploads/php/files/c4d01f9cc9dd67429cfee500fe412861/fewita.pdf
  • https://agrotehholding.ru/wp-content/plugins/super-forms/uploads/php/files/01e7831a7cabf0ca4ceca1ec0e902f27/96228035812.pdf
  • https://akproauto.com/nbloom/fckuploads/file/36958828265.pdf
  • https://www.actionconstructionjax.com/wp-content/plugins/super-forms/uploads/php/files/60af0e4191791ecab9055a9777118053/kamaforuvowesa.pdf
  • http://bigxra.com/uploadfile/file/2021051110453273499.pdf
  • http://www.ascendercorp.com/
  • http://www.ascendercorp.com/typedesigners.html
  • http://scripts.sil.org/OFL

Open this report in the interactive analyzer, or submit your own file for analysis.