Malicious PDF — malware analysis report

Heuristics 7

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
  PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://philabc.ru/uplcv?utm_term=kevin+hart+seriously+funny+full PDF link annotation

  • http://actionelectric.pt/www/wp-content/plugins/formcraft/file-upload/server/content/files/160a09a39db509---puzomadinopozugadaba.pdfIn PDF document text
  • http://mtcongnghiepxanh.com/upload/fckimagesfile/nibugokabikekumuru.pdfIn PDF document text
  • http://blatt-gruen.ch/files/70313350935.pdfIn PDF document text
  • https://monarchwinemerchants.com/wp-content/plugins/super-forms/uploads/php/files/3bf346df6ed21dfd0945878568681cb4/wafozuzekelufavof.pdfIn PDF document text
  • http://79.170.40.182/boothtastic.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bc83aa452c5---gipujelujukevofeler.pdfPDF link annotation
  • http://ildungrice.com/fileupload/fckeditor/file/69403593395.pdfIn PDF document text
  • http://www.aportecnica.com/imagenes/editor/file/nodelofoxagaxalajuxuwek.pdfIn PDF document text
  • https://bikinibody.be/wp-content/plugins/super-forms/uploads/php/files/h1rg37nvq01kj0sk61pqfp76js/92505262278.pdfIn PDF document text
  • http://lookupagency.es/wp-content/plugins/formcraft/file-upload/server/content/files/160cfc5a94d8dd---54721567479.pdfIn PDF document text
  • https://allianceflooring.net/wp-content/plugins/super-forms/uploads/php/files/79bfd2bc096614508e53e7e0afda9da0/nofojime.pdfIn PDF document text
  • http://timapools.com/uploads/files/20662213105.pdfIn PDF document text
  • https://estigotours.com/wp-content/plugins/super-forms/uploads/php/files/e78306cc10d7fc09ff7f6dc594673f7b/76356105560.pdfIn PDF document text
  • https://hsegroup.ru/wp-content/plugins/super-forms/uploads/php/files/jrm493rr6ibohq9jqn0sal6cm5/58191355069.pdfIn PDF document text
  • https://primeodontorj.com/wp-content/plugins/super-forms/uploads/php/files/15fd4b38c6695e9e737d55718ce1ee13/jazojuvonabelepoxivi.pdfIn PDF document text
  • https://vmkstroi.ru/wp-content/plugins/super-forms/uploads/php/files/b1f2d563d1b036760b5d2bf123b92197/83191448014.pdfIn PDF document text
  • https://zweiund40.com/wp-content/plugins/super-forms/uploads/php/files/cb40hrgs7a88i1g4o2bp9uohmg/lokevotenukurulijenuj.pdfIn PDF document text
  • http://www.britocunhaadvocacia.com.br/home/wp-content/plugins/formcraft/file-upload/server/content/files/16076ba9e1218c---totezojodebezogupu.pdfIn PDF document text
  • https://ceilford.org/wp-content/plugins/super-forms/uploads/php/files/731f99287bf8853a3932ece06d62e7d1/46620508890.pdfIn PDF document text
  • http://maidnheaven.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607661e8a0878---30120873504.pdfIn PDF document text
  • http://asesoriagarpe.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b8ba7a9bca2---66116240320.pdfIn PDF document text
  • https://edusfera.pl/upload/file/30235023733.pdfIn PDF document text
  • https://gift-edu.ru/wp-content/plugins/super-forms/uploads/php/files/9babcc32f5d69b50cc13cdda6e1be32d/pipabov.pdfIn PDF document text
  • https://elitestrategyglobal.com/wp-content/plugins/super-forms/uploads/php/files/cfb3690e1c45bd0b5e06d67cf6f2ba67/gefejoxozuvixub.pdfIn PDF document text
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://dejavu.sourceforge.netIn PDF document text
  • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.