Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://leonvi.ru/wix?keyword=section+11.4+meiosis+answers PDF link annotation

  • https://kokujilu.weebly.com/uploads/1/3/1/4/131453241/jizanubasegax.pdfIn PDF document text
  • http://wowogobofomufu.mygamesonline.org/smoke_on_the_water_guitar_tab.pdfIn PDF document text
  • https://nitafigiwulizo.weebly.com/uploads/1/3/1/4/131406945/nonakavomewas-rovikuzapid-mezelesoxat.pdfIn PDF document text
  • http://dawuxapi.iblogger.org/superstore_episode_guide_season_3.pdfIn PDF document text
  • http://vawabipoxe.sportsontheweb.net/rirozujoves.pdfIn PDF document text
  • https://wijizavop.weebly.com/uploads/1/3/4/3/134309393/fanivis-gexotikosif.pdfIn PDF document text
  • http://gepokupaburorew.mywebcommunity.org/economic_development_corporation_of_new_haven.pdfIn PDF document text
  • https://bafexobis.weebly.com/uploads/1/3/4/0/134041027/8083763.pdfIn PDF document text
  • http://pozijuza.scienceontheweb.net/miss_peregrine_books_genre.pdfIn PDF document text
  • http://jusoxuz.iblogger.org/actividades_para_evaluar_la_lectura_en_primer_grado_de_primaria.pdfIn PDF document text
  • https://rizidapovo.weebly.com/uploads/1/3/4/3/134316848/bae2f252.pdfIn PDF document text
  • http://www.ascendercorp.com/In PDF document text
  • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
  • http://www.daltonmaag.com/In PDF document text
  • https://uploads.strikinglycdn.com/files/f5818c87-a435-417d-858b-9d131279ebc0/83798763604.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/a44d18be-bf18-4c8d-91f0-f8a366e4b21e/5_stages_of_sedimentary_rock_formation_in_the_correct_order.pdfIn PDF document text
  • https://2ffa788b-df2f-461f-b9c5-573bec542745.filesusr.com/ugd/374ce0_01ac6121fe4146a5b18645727218bac7.pdf?index=trueIn PDF document text
  • https://41be308f-8a64-4dec-8b30-4937605be974.filesusr.com/ugd/f042fe_47a2cb6ba4f7494bb150d5b9b7c1a4fa.pdf?index=trueIn PDF document text
  • https://06ebba1c-c738-45d4-b58d-83edbdcc9420.filesusr.com/ugd/b14caa_d242bd33334b481c81bd61a6929a592d.pdf?index=trueIn PDF document text
  • http://pogifovemujure.epizy.com/damedomawex.pdfIn PDF document text
  • http://bidasumibave.epizy.com/somuvizowimi.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/16c9eb0c-ebd0-4533-93b3-946eda003c32/bavapuzaxafadomal.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/872c7bb3-5336-4c51-a592-8425757eec85/casio_g_shock_5146_manuale_italiano.pdfIn PDF document text
  • https://7ef5d8b8-74ac-4e0a-b0a0-fa61ca6462a8.filesusr.com/ugd/23e9be_7fba3875a33b471e951f1e17ad889dbe.pdf?index=trueIn PDF document text
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://scripts.sil.org/OFLIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.