Malicious PDF — malware analysis report

Heuristics 7

• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
  Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://pelibifir.ru/strik?utm_term=deezer+code+generator PDF link annotation

  • https://karubidodofibe.weebly.com/uploads/1/3/4/3/134316277/kasuwitelubiboxaruj.pdfIn PDF document text
  • https://vogitoroxubas.weebly.com/uploads/1/3/0/7/130739894/papavifuruzofowojun.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4368997/normal_605b8f2d81264.pdfIn PDF document text
  • https://vakejijumusefuv.weebly.com/uploads/1/3/5/3/135313512/83820a.pdfIn PDF document text
  • https://divulonuwuw.weebly.com/uploads/1/3/1/4/131482828/6068891.pdfIn PDF document text
  • https://pamuguvijokogag.weebly.com/uploads/1/3/4/8/134883264/rupikezetox.pdfIn PDF document text
  • https://static.s123-cdn-static-d.com/uploads/4371010/normal_60affa137494d.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4409628/normal_604e1ee27637b.pdfIn PDF document text
  • https://minibomutax.weebly.com/uploads/1/3/6/0/136011914/6905894.pdfIn PDF document text
  • https://lovetawufekevo.weebly.com/uploads/1/3/4/3/134339121/635130.pdfIn PDF document text
  • https://putavoguxula.weebly.com/uploads/1/3/5/3/135325624/3dfc9d44.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4369903/normal_6017c3cf7e3bf.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4416789/normal_5fd99b50b2f2a.pdfIn PDF document text
  • http://www.ascendercorp.com/In PDF document text
  • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
  • https://uploads.strikinglycdn.com/files/7cd0ba1a-a1ba-4602-9d05-53af06b213b2/20583959242.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/0018eb65-1280-4a0e-91a7-0952bef5baec/pagijif.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/653a3f19-45cd-44ba-8421-a1936835fbe1/steamed_broccoli_nutrition_facts_100g.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/2bfb3bb5-c4dc-46d0-8b4f-bac0be4433c1/how_to_be_your_own_dj_at_a_wedding.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/fd51cd62-d120-4143-999d-47c2ce2b1101/dafopetofarapovatuki.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/5dbbd309-40b7-4939-9acf-1104b4d4226b/30550415398.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/4e996e64-c774-4261-b6ab-6d81baf59396/94831583324.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/f15b863b-cee3-4303-8428-5c66ea3643b3/watch_tuesdays_with_morrie_movie_online_free.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/3c42b98a-2ef5-442f-9e65-05246297b38a/gta_5_apkdataobb_2.6gb_zip.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/8dabe218-263f-4044-adbd-4ed52ea7b39d/75946664930.pdfIn PDF document text
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://scripts.sil.org/OFLIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.