Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://www.ideaklinik.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/16099eb6ed554f---93626252606.pdf

  • http://maychamsocda.vn/images/userfiles/file/rolep.pdf
  • https://floridaholidayplanner.com/wp-content/plugins/super-forms/uploads/php/files/d3aa0db9f6ea7bb71787e2112f053613/webesadita.pdf
  • https://www.aceitedeoliva.com/wp-content/plugins/super-forms/uploads/php/files/c76c95a135e1a47280c1c3572d3d3fbb/62458906435.pdf
  • https://autosaloncenter.com/uploads/file/migebamewuvigumetuf.pdf
  • https://www.aironface.com/wp-content/plugins/super-forms/uploads/php/files/baa123d5539307c90008c9e4c3f24352/keladopid.pdf
  • https://burgaseguros.com/userfiles/file/dirafowazapovuwarev.pdf
  • http://omegapizza.net/uploads/files/nenemirojepevudosamozutu.pdf
  • https://championsforchildren.org/wp-content/plugins/super-forms/uploads/php/files/f39b40c7300d4b073e72d7bb63abaa2f/nawurotabegid.pdf
  • http://kirks-pool.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609da0ec0e345---13016530816.pdf
  • http://sherwoodchambergolf.com/ckfinder/userfiles/files/rolifuwumowib.pdf
  • http://www.finanzanlagen-honorarberatung.de/wp-content/plugins/formcraft/file-upload/server/content/files/16081946635365---kukazamepafokidigip.pdf
  • https://rffsev.ru/wp-content/plugins/super-forms/uploads/php/files/9e5f5e12788645b2aca05593adce1b6d/sunefekafosafijaruwop.pdf
  • https://farmaciasacoor.com/site/upload/file/fusuda.pdf
  • http://vietthanhstone.com/images/news/file/wawasakixu.pdf
  • https://bizdrive.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1/1607143d0d5aca---bagevira.pdf
  • http://totalfinance.ca/wp-content/plugins/formcraft/file-upload/server/content/files/16096c64beb951---wibogologebexuxejo.pdf
  • https://boldvision.tv/wp-content/plugins/formcraft/file-upload/server/content/files/1607fed6c5ec90---nujujixoreridawem.pdf
  • https://123kozijnofferte.nl/wp-content/plugins/super-forms/uploads/php/files/0vuraobho2rmnmesu9aur0aeq5/13621608448.pdf
  • http://tz5168.com/uploadfile/image/2021/06/12/file/20210612_142351_189.pdf
  • https://hsegroup.ru/wp-content/plugins/super-forms/uploads/php/files/ttich81dc18enk6ecb5u8g8hf7/42963187336.pdf
  • https://shinyjewellers.com/wp-content/plugins/super-forms/uploads/php/files/3knivfub5ctf8l0kh470l920uu/61562632457.pdf
  • https://lcd96.ru/wp-content/plugins/super-forms/uploads/php/files/13b81c2488793e3e0f2fb0bcf0f6c790/61852419647.pdf
  • https://drmiamiconnect.com/wp-content/plugins/super-forms/uploads/php/files/78e88b2a082fc1227421c64d11fd30fb/31566762766.pdf
  • https://klingende-zeder.de/wp-content/plugins/formcraft/file-upload/server/content/files/160b64d7da713c---47490638057.pdf
  • https://rffsev.ru/wp-content/plugins/super-forms/uploads/php/files/3f10f09d89110a0d645fdf3eb436b63b/serenobadovolemawikiwanan.pdf
  • https://feedproxy.google.com/~r/Uplcv/~3/Om9ozkHLxGw/uplcv?utm_term=that+time+of+year+thou+mayst+in+me+behold+analysis
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/pdf/1.3/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/rights/
  • http://dejavu.sourceforge.net
  • http://dejavu.sourceforge.net/wiki/index.php/License

Open this report in the interactive analyzer, or submit your own file for analysis.