Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://philabc.ru/uplcv?utm_term=red+rose+beauty+parlour

  • http://amwordpress.org/wp-content/plugins/formcraft/file-upload/server/content/files/16098ac50325f8---mosajigovubopinawobor.pdf
  • https://k9-warrior.com/wp-content/plugins/super-forms/uploads/php/files/4ld3dl7kbfl4o1o8fh65692gnq/mikesemeges.pdf
  • http://www.cuerpomenteyespiritu.es/wp-content/plugins/formcraft/file-upload/server/content/files/160a639a60d6a5---32533215359.pdf
  • http://www.aportecnica.com/imagenes/editor/file/sonaxizurimubuwabezaralas.pdf
  • https://www.lowdoc-loans.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160759d2ae7363---ratoxizipuforezosevo.pdf
  • http://centralwestwoodclassof1983.com/clients/c/cd/cd4b3c89dd1500142a52f05b9125c350/File/moxugitujatas.pdf
  • https://atpl.aero/ckfinder/userfiles/files/logiwilobezo.pdf
  • https://www.mybizwebsites.com/wp-content/plugins/formcraft/file-upload/server/content/files/16083cd20a7480---jetiritefeveginanapafeje.pdf
  • http://abwalabamaave.com/uploads/files/9983658646.pdf
  • https://www.conkite.com/wp-content/plugins/super-forms/uploads/php/files/f49a9fe60874f85430078f93420b9ea3/fanuviwuvod.pdf
  • https://iva-vietnam.com/userfiles/file/61430636237.pdf
  • https://steammining.com/userfiles/file/88473500396.pdf
  • http://twfindia.in/userfiles/files/66908550909.pdf
  • https://www.pietri-automobiles.com/wp-content/plugins/super-forms/uploads/php/files/s1hjuldb42bem2jjh5vrlp5rl7/40123138742.pdf
  • https://www.marthatrotts.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1607d7facc0b38---66840750954.pdf
  • http://www.lentilles-progressives.fr/wp-content/plugins/formcraft/file-upload/server/content/files/160a8471d4019f---gumuxiporoduwogimolokez.pdf
  • http://kartywspomnien.pl/uploads/assets/file/lebigugawi.pdf
  • http://amsasecretariat.fr/userfiles/file/tojud.pdf
  • https://alcc.vn/wp-content/plugins/super-forms/uploads/php/files/cmll7udg372dped1qk35i3v4ud/36077796407.pdf
  • http://fundraisingwebsites.com/clients/9/96/963d931f30a9d2280975e71a7f923c96/File/patov.pdf
  • https://best-turbos.com/wp-content/plugins/super-forms/uploads/php/files/c1cffe107a27a54b3ca0fe19fea8ffb5/webatimomawamijijefu.pdf
  • http://sarahscupcakery.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a0cef16d83a---5093724733.pdf
  • http://skyfestival.kr/ckfinder/userfiles/files/69040860828.pdf
  • https://antoinepanau.com/wp-content/plugins/super-forms/uploads/php/files/5750bbd382b1fac79530817701340e6b/nawariwakekoluxaki.pdf
  • http://visualpaint.com/wp-content/plugins/formcraft/file-upload/server/content/files/16085d3188ff63---pevewosolivavipivasit.pdf
  • http://leilehua76.com/clients/4/4d/4d80c013f15dbe3c797666a457780dca/File/74519627643.pdf
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://dejavu.sourceforge.net
  • http://dejavu.sourceforge.net/wiki/index.php/License

Open this report in the interactive analyzer, or submit your own file for analysis.