Malicious PDF — malware analysis report

Heuristics 7

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
  Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://mdsalon.ru/img/lib/file/bolulumejosad.pdf In PDF document text

  • http://lichnyiybrand.ru/wp-content/plugins/formcraft/file-upload/server/content/files/1609b434f8616a---lemudugakogeroxarulo.pdfIn PDF document text
  • http://www.americaninvest.net/upls/files/4970155250.pdfIn PDF document text
  • http://www.alfainstal.pl/wp-content/plugins/formcraft/file-upload/server/content/files/160792b34d265d---fibanegikajegeduwapa.pdfIn PDF document text
  • http://produccionesproezas.com/clients/2/28/28ea8f13eb032e89cab2838ec144e7af/File/zififav.pdfIn PDF document text
  • https://wscnaturalhealings.com/wp-content/plugins/super-forms/uploads/php/files/bd795687b8c83f73c562628c62e3e1b4/birigekederivotom.pdfIn PDF document text
  • http://www.christinemartin.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160fac31168a83---luripagabonos.pdfIn PDF document text
  • http://xn--b1ahhafccpgkb2bxo.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/bb3a51fb8b686548ebc6f9f62fa921d2/bekezetijevej.pdfIn PDF document text
  • http://foto-preiss.at/upload_files/files/xipibefusumesobadalosu.pdfIn PDF document text
  • https://www.reflectionuk.com/wp-content/plugins/super-forms/uploads/php/files/mjontvuh7kf29hit0gi6o2445n/5146657189.pdfIn PDF document text
  • http://www.cuadernos.in/wp-content/plugins/formcraft/file-upload/server/content/files/1607b07efad4e4---26067664000.pdfIn PDF document text
  • https://brusroom.com/wp-content/plugins/super-forms/uploads/php/files/d9eb98ea031e3d440bae12243bb3471d/74038321187.pdfIn PDF document text
  • https://socialacademy.gr/wp-content/plugins/super-forms/uploads/php/files/1390b517bb01bc5f8ce18bf611804ce0/9412656136.pdfIn PDF document text
  • https://mobile-translator.eu/app/webroot/media/files/28879122122.pdfIn PDF document text
  • https://spazmedia.com/wp-content/plugins/formcraft/file-upload/server/content/files/1612d8b10995a1---49539083072.pdfIn PDF document text
  • https://nutritie-metabolism-sanatate.ro/app/webroot/files/userfiles/files/xedoj.pdfIn PDF document text
  • https://www.vbclighting.com/wp-content/plugins/super-forms/uploads/php/files/0d7efdce48b97a04e33379e5e2b82a72/96838303031.pdfIn PDF document text
  • http://chaodontuonglai.vn/uploads/ck_upload/files/zodekaz.pdfIn PDF document text
  • http://sola-brothers.com/userfiles/file/wunatipexutovewepuro.pdfIn PDF document text
  • http://albino-pitti.com/pub_img/file/38641936554.pdfIn PDF document text
  • https://www.jemelectric.com/wp-content/plugins/formcraft/file-upload/server/content/files/16097f7035d632---68861389764.pdfIn PDF document text
  • https://nuregio.de/wp-content/plugins/formcraft/file-upload/server/content/files/160789975a151c---ruvexet.pdfIn PDF document text
  • https://securitydm.rs/slicice/file/85748156775.pdfIn PDF document text
  • https://aldea.work/wp-content/plugins/super-forms/uploads/php/files/b025d984b1ccf82343bcbf17538e74bb/49891974172.pdfIn PDF document text
  • http://wolfpackbasketballacademy.com/content_docs/zaxed.pdfIn PDF document text
  • https://feedproxy.google.com/~r/Uplcv/~3/BkSY9tpko7c/uplcv?utm_term=journal+entries+rules+pdfPDF link annotation
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://dejavu.sourceforge.netIn PDF document text
  • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.