Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
• PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
  PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://makaifruits.com/wp-content/plugins/formcraft/file-upload/server/content/files/16095b236429c9---43171153397.pdf In PDF document text

  • http://prodesign31.ru/wp-content/plugins/formcraft/file-upload/server/content/files/1607a4274dc76a---bibagosijawixotidupi.pdfIn PDF document text
  • https://auf.vn/wp-content/plugins/super-forms/uploads/php/files/vcc903j5mb312j66fe2rvp0si3/xovijenu.pdfIn PDF document text
  • http://elonsummerstorage.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b7c1c6d8adf---2613912815.pdfIn PDF document text
  • https://ecomassage.pt/wp-content/plugins/super-forms/uploads/php/files/2a6ns6ukesf9auqrj0fblgcqgb/zazovoximafelosel.pdfIn PDF document text
  • https://www.enviedecrire.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609b55633e1bc---monam.pdfIn PDF document text
  • http://www.victorian-manor.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/160756b2c605c4---lalibemozidedagukon.pdfIn PDF document text
  • https://cvsc.co/userfiles/file/9065910364.pdfIn PDF document text
  • http://www.louthadventures.ie/wp-content/plugins/formcraft/file-upload/server/content/files/1607481e996fe2---pakiru.pdfIn PDF document text
  • http://www.akutrans.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607ca378666b2---balipejetaroval.pdfIn PDF document text
  • http://cohn-vossen.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c18ca8633c9---21132983401.pdfIn PDF document text
  • https://prana.video/wp-content/plugins/super-forms/uploads/php/files/mg5uscqvm2br1sqomepvhkek8s/22802234176.pdfIn PDF document text
  • https://gradeagroup.com/wp-content/plugins/super-forms/uploads/php/files/e0gfk2r0hi1kqjvp97do5l8b88/42842630965.pdfIn PDF document text
  • https://webgirls-studio.com/wp-content/plugins/formcraft/file-upload/server/content/files/160caa9eda1f0f---vowavazosojuzizalotu.pdfIn PDF document text
  • http://a2itsolutions.com/chop/multimedia/userfiles/file/31417341788.pdfIn PDF document text
  • http://premiumresourcing.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608acdc0e735a---65538517002.pdfIn PDF document text
  • http://trenermichal.pl/wp-content/plugins/formcraft/file-upload/server/content/files/160c8c9829ec22---zevavuretedegapexizo.pdfIn PDF document text
  • http://www.oknookna.pl/wp-content/plugins/formcraft/file-upload/server/content/files/160c86321c04d6---sipefitotuvudi.pdfIn PDF document text
  • http://www.louthadventures.ie/wp-content/plugins/formcraft/file-upload/server/content/files/1608b57d74359a---78487487276.pdfIn PDF document text
  • http://staresecurity.com/userfiles/file/70893133352.pdfIn PDF document text
  • https://cvsc.co/userfiles/file/68187670614.pdfIn PDF document text
  • https://debcopharma.com/userfiles/file/16873511641.pdfIn PDF document text
  • https://artsketch.ru/wp-content/plugins/super-forms/uploads/php/files/999fd332f157879e8231ad245349a8fc/biwokibabiruke.pdfIn PDF document text
  • https://3dreamvr.com/wp-content/plugins/super-forms/uploads/php/files/46772e9f46c183ba7ee6777f4efd8776/69587594617.pdfIn PDF document text
  • https://dedywiredja.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607b0da3cc860---3826936412.pdfIn PDF document text
  • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/LPIa9PGmDLg/uplcv?utm_term=freak+the+mighty+pdf+filePDF link annotation
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://dejavu.sourceforge.netIn PDF document text
  • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.