Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
  PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://garglob.ru/pbw?utm_term=marenian+tavern+story+mod+apk+1.1.4ghz PDF link annotation

  • https://cdn-cms.f-static.net/uploads/4391314/normal_60b9b448c88d4.pdfIn PDF document text
  • https://jaxanotev.weebly.com/uploads/1/3/1/1/131164383/neruxesevesofen-goxedazivadus-nijimejemasupuj-lujixofojavo.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4424682/normal_60520eb8edf89.pdfIn PDF document text
  • https://cdn-cms.f-static.net/uploads/4366008/normal_60425f020b3f6.pdfIn PDF document text
  • https://static.s123-cdn-static.com/uploads/4454304/normal_5fff4b746d818.pdfIn PDF document text
  • https://lixevipilevorox.weebly.com/uploads/1/3/4/6/134634278/5691494.pdfIn PDF document text
  • http://www.ascendercorp.com/In PDF document text
  • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
  • http://www.daltonmaag.com/In PDF document text
  • https://uploads.strikinglycdn.com/files/cc5588eb-3e62-4350-a5a4-5986209faffc/123420268.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/2eed470c-516d-4e8b-a7b4-719bff2b17f1/what_is_main_idea_and_supporting_details_examples.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/78903035-d861-4eb4-b03c-4a3402a1f672/vans_old_skool_low_top_white.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/c1ced64a-81f1-4c9f-919a-06fe04795e32/ketezupuripekulufugimerew.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/5ea79082-2873-49e7-9ff1-f80dacea687b/why_is_my_keurig_screen_not_working.pdfIn PDF document text
  • http://jumedew.pbworks.com/f/palabras_agudas_graves_esdrujulas_y_sobreesdrujulas_ejemplos_para_nios.pdfIn PDF document text
  • http://gafuxexosaru.pbworks.com/w/file/fetch/144682599/canada_visa_application_form_2019.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/aa6cea4f-717d-432f-88be-0fc6ac213c5c/2429103221.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/a3ec1fec-2207-4522-8d62-9a3aecbf49fc/kadurajutufeparipip.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/fd2b16fe-689b-407c-9552-5b3456acf140/xfer_serum_serial_number_free.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/60839f89-e6ef-411a-ba9e-8e6c45f5bfd4/integrity_selling_ron_willingham.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/ebdf8b22-bcb3-4c3b-b898-441101080c97/judigap.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/e4ef9d30-9134-4c7b-b243-c2620d417e90/how_to_pair_plantronics_bluetooth_m70.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/a7ba1b96-8987-4d1e-b411-395a1dc284dd/nipelabarag.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/94f24058-5052-41c3-b1d9-c4d80f6d16a0/tisogipezoruwusedexabade.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/c1fa81b2-0cf9-4389-b829-349f941d8810/56075288134.pdfIn PDF document text
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://scripts.sil.org/OFLIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.