Malicious PDF — malware analysis report

Heuristics 7

• ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
• PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
  PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
  Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://crophysi.ru/wix?keyword=ikaw+lang+ang+iibigin+may+15+2018 In PDF document text

  • https://foluxafan.weebly.com/uploads/1/3/5/3/135397430/1275326.pdfIn PDF document text
  • http://mon-cmso.best/30032154887am3lh.pdfIn PDF document text
  • http://hookup666.site/curso_de_ingles_basico_conversacionalt1y6p.pdfIn PDF document text
  • https://xutifapob.weebly.com/uploads/1/3/2/7/132712150/nuwovewadewi_fufikejiwuji.pdfIn PDF document text
  • https://ruvawuwejijexut.weebly.com/uploads/1/3/0/8/130814193/1f603be6db0.pdfIn PDF document text
  • https://static.s123-cdn-static.com/uploads/4366622/normal_5fe52d53b3767.pdfIn PDF document text
  • http://uaportal.site/7559382078x6wpw.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4472213/normal_603ca9bfc9c00.pdfIn PDF document text
  • http://copyrightnotice-ig.com/groove_life_camo_watch_bandsa0htt.pdfIn PDF document text
  • http://fbdirect.site/latest_malayalam_movies_torrentwf9wx.pdfIn PDF document text
  • http://www.ascendercorp.com/In PDF document text
  • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
  • https://d73c234d-0e3d-497d-8108-d5659bace061.filesusr.com/ugd/58a813_58f025c530ef49d8b3de31772f896367.pdf?index=trueIn PDF document text
  • https://994180ce-385f-4272-9833-4a204a825e0f.filesusr.com/ugd/ec0c41_17adbdfd8c8946ac82b4b2b07999d065.pdf?index=trueIn PDF document text
  • https://acfc0e76-311d-46af-9c13-f46c112eb424.filesusr.com/ugd/f90bad_125a07d70ecc4be9a13bc9e7261f975c.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/431786cb-d3f5-4f53-b2cd-997e57870184/13779974029.pdfIn PDF document text
  • https://a7da3e60-63c8-46c1-a846-eab7df628ed2.filesusr.com/ugd/bba345_1f7b5614195f4970b8ab6580d4210502.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/8a74efad-cf5b-4d0e-9c81-da9517b0d86b/18574496365.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/682994bc-5863-4279-beb9-d829fc975dbe/the_future_of_the_mind_summary.pdfIn PDF document text
  • https://5d9de69b-f80b-44d6-9c2d-9027806fef0b.filesusr.com/ugd/e26ad2_5cb6b24de0124533a60e1f1b68829312.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/4eb744af-ddd0-48eb-ad20-c18e2343400c/lcm_worksheets.pdfIn PDF document text
  • https://fa202315-5cd5-4006-9a99-7c5d4406650e.filesusr.com/ugd/61804c_c08e605e29504ceea81e492ddf30231a.pdf?index=trueIn PDF document text
  • https://32b33340-d9da-4ef7-b3bd-a0ac5134eb71.filesusr.com/ugd/adfa6f_aacf28bef8d14d5390350275afe55ecc.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/b09dec7b-fba4-4f63-877b-a9ac7ce64892/fotakakaveverujuvafuxuju.pdfIn PDF document text
  • https://0ef2f354-78a3-4528-990c-72f69c86fc6a.filesusr.com/ugd/6a0da6_09b32474304b4f13aa61848687fe5375.pdf?index=trueIn PDF document text
  • https://9cf93ecd-64ee-4ad6-afcc-f350577a7522.filesusr.com/ugd/c4dbd3_e5cb66879818465aa8ad67f6950082f5.pdf?index=trueIn PDF document text
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://scripts.sil.org/OFLIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.