Malicious PDF — malware analysis report

Heuristics 7

• ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
• Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
  PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://dfh-consulting.com/userfiles/file/sutemawamomijupe.pdf In PDF document text

  • http://www.myhhsi.com/wp-content/plugins/super-forms/uploads/php/files/68c5e36d2a17c7bec3461991474f6702/14676531653.pdfIn PDF document text
  • https://apsco.ly/userfiles/files/vutaxaganijemeboroleja.pdfIn PDF document text
  • http://cuakeobinhduong.com/upload/files/40811411671.pdfIn PDF document text
  • http://yossy.biz/userfiles/file/46689955492.pdfIn PDF document text
  • http://fzcce.com/aimgs/uload/files/lalojajomubemirugedo.pdfIn PDF document text
  • https://fortlauderdale-carservice.com/wp-content/plugins/formcraft/file-upload/server/content/files/16094527088d59---numewajojowivuzenokudajuw.pdfIn PDF document text
  • https://mytutr.com/wp-content/plugins/super-forms/uploads/php/files/6edc1b9184f695d0523eda04265c4de0/32321787097.pdfIn PDF document text
  • http://79.170.40.182/boothtastic.com/wp-content/plugins/formcraft/file-upload/server/content/files/16087b7c533877---93921175701.pdfPDF link annotation
  • https://bedandbreakfastchia.it/userfiles/file/4459851740.pdfIn PDF document text
  • https://www.yoursurveysurveyors.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160bfa6b059126---fadilusip.pdfIn PDF document text
  • https://estidevelopers.com/wp-content/plugins/super-forms/uploads/php/files/67cd82d10220fa600c0ebedc77fe112c/73760661564.pdfIn PDF document text
  • https://www.hemoroidklinigi.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606eee74ebe46---65804079997.pdfIn PDF document text
  • https://adm.allianceflooring.net/wp-content/plugins/super-forms/uploads/php/files/f5a2eaf9e45e26464f690c8b3b716490/mafizamadironefa.pdfIn PDF document text
  • http://www.iso-clean.fr/wp-content/plugins/formcraft/file-upload/server/content/files/1609ce835a371e---50990810149.pdfIn PDF document text
  • http://614move.com/clients/4890/File/5796099825.pdfIn PDF document text
  • http://www.marsagri.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608b4178699c3---42204701145.pdfIn PDF document text
  • http://regimhotelierbucuresti.com/images/userfiles/20040221442.pdfIn PDF document text
  • http://bsinteriordesigner.com/userfiles/files/8090115184.pdfIn PDF document text
  • https://loyallcanada.ca/editor_files/file/napolokazow.pdfIn PDF document text
  • https://www.rockandroll.blog.br/wp-content/plugins/super-forms/uploads/php/files/55qchuf8ms1l10ldcgjf41nm0r/jererupadutuvomeka.pdfIn PDF document text
  • http://kochamsushi.pl/UserFiles/file/mapusugidaxeserarefuvu.pdfIn PDF document text
  • http://ytovietnam.net/ckfinder/userfiles/files/dajobuxotufodivisa.pdfIn PDF document text
  • https://www.straightmyteeth.com/wp-content/plugins/super-forms/uploads/php/files/6a9b269a8cce8cac847efbe4e906c6fc/bajeniwetagirap.pdfIn PDF document text
  • http://eviljoy.com/UserFiles/File/21911765762.pdfIn PDF document text
  • https://feedproxy.google.com/~r/Uplcv/~3/fzgW7-mxBc0/uplcv?utm_term=how+to+draw+a+flying+carPDF link annotation
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://dejavu.sourceforge.netIn PDF document text
  • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.