Malicious PDF — malware analysis report

Heuristics 6

• ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://xajibur.ru/strik?utm_term=how+to+make+ham+with+ginger+ale PDF link annotation

  • http://disconto50.info/23975956063jazoi.pdfIn PDF document text
  • https://cdn.sqhk.co/movozuba/9SNMid3/nagutanafuxi.pdfIn PDF document text
  • http://swiss-family.space/90021068811bznn5.pdfIn PDF document text
  • https://cdn.sqhk.co/kuzaxepigi/hzjaghj/monkey_running_android_game.pdfIn PDF document text
  • http://tevfikyuce.xyz/nibovokunuv2mca.pdfIn PDF document text
  • http://mainsale.pro/2711444955l1hun.pdfIn PDF document text
  • https://cdn.sqhk.co/fiporalisu/jdghgjc/talepofadaxarafodawuze.pdfIn PDF document text
  • https://cdn.sqhk.co/nivurerazusa/jjhatBe/marshalls_return_policy_different_store.pdfIn PDF document text
  • http://hookup756.fun/salesforce_platform_app_builder_certification_handbooktud3d.pdfIn PDF document text
  • http://www.ascendercorp.com/In PDF document text
  • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
  • https://8909b315-4d59-4940-aabf-0fdaa532e0ad.filesusr.com/ugd/4542d9_2c4dc2196777490e82da989e9574e235.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/f6867658-10e0-46a1-bc72-9c4f18a9d06c/54056027675.pdfIn PDF document text
  • https://a54de82d-0003-4787-801b-d7ee719c780a.filesusr.com/ugd/8d57bd_9ce6713484c347ca815577e51cc190d4.pdf?index=trueIn PDF document text
  • https://4c2674ec-1430-4cec-a455-d6a35d10586e.filesusr.com/ugd/38955b_59fbec5d77fb408382db366e92d90221.pdf?index=trueIn PDF document text
  • https://s3.amazonaws.com/fejakixoweka/calculus_hughes_hallett.pdfIn PDF document text
  • https://s3.amazonaws.com/jepinebawo/34026171242.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/e5e81577-2871-44cd-99d8-78185c1bc302/20365964070.pdfIn PDF document text
  • https://s3.amazonaws.com/povodijirig/dr_bruce_lipton_books.pdfIn PDF document text
  • https://336ddc11-c37d-4cd6-9685-7accad2975f7.filesusr.com/ugd/479fa9_b40e3f6b9a0e4bb9bf14c5426b12cf89.pdf?index=trueIn PDF document text
  • https://8ab1a2d5-e5b1-44c5-a28c-e09959565f0d.filesusr.com/ugd/eb712c_a8ffa152cd8e4fab8af1f710e2da5493.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/27bc5617-9132-47cd-a355-8c2f67af2a84/winchester_gun_safe_combination_instructions.pdfIn PDF document text
  • https://s3.amazonaws.com/zuguvoxoki/18219449635.pdfIn PDF document text
  • https://s3.amazonaws.com/nuselufuzo/lupafiparizukokumefoda.pdfIn PDF document text
  • https://29ca30ec-7ad4-487f-8637-d2d67f3a323c.filesusr.com/ugd/10b11f_3f776bfadbb44c3ea171db2ed6c7e42a.pdf?index=trueIn PDF document text
  • https://3d3b31fc-6152-41c7-b1d4-a4af3afcce63.filesusr.com/ugd/3f8d85_d3c983f3724d4bfc8f63940b97694066.pdf?index=trueIn PDF document text
  • https://77483064-5892-4b52-b419-66e751946b77.filesusr.com/ugd/ef7b09_91a394b00f8040f6ac9bff58646b27c2.pdf?index=trueIn PDF document text
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://scripts.sil.org/OFLIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.