Malicious PDF — malware analysis report

Heuristics 6

• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
• PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
  PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
• Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
  PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 42 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
• External URI info PDF_URI
  PDF contains an external URL action
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://mezovuduw.ru/strik?utm_term=should+you+wear+safety+glasses+for+coronavirus

  • https://cdn-cms.f-static.net/uploads/4384152/normal_60513ff27612b.pdf
  • http://remontvorot24.com/jomuxeforuygth4.pdf
  • http://consequences.space/72919881592367kh.pdf
  • http://testersairf.xyz/gmat_coaching_classes_in_vadodarae06fk.pdf
  • http://lofitner.buzz/citibank_credit_card_bill_deskaccv3.pdf
  • http://1yamal.space/stata_open_ado_fileaqjor.pdf
  • https://cdn-cms.f-static.net/uploads/4379837/normal_5fe7ed78e1555.pdf
  • http://eferevole.com/wikuvalejaxikumolemipilulkzjnt.pdf
  • https://uploads.strikinglycdn.com/files/238494f0-2c66-4515-b486-ac15c0323a80/hit_the_road_jack_lyrics_2wei.pdf
  • https://8a5a474a-a671-4857-921d-d1df0ee72544.filesusr.com/ugd/523716_3d11b76af74241009789af15d0015369.pdf?index=true
  • https://5e20aa6b-77ef-4f11-9344-5454fb7c649c.filesusr.com/ugd/fb3aa9_7b67f19e2e324e2fabb396807a786ea7.pdf?index=true
  • https://uploads.strikinglycdn.com/files/ff960629-112e-4d55-8d62-c1fca09e0b15/selefovijisu.pdf
  • https://a519209a-2b0a-481f-9fe9-460c873bdc80.filesusr.com/ugd/270e53_459a5240cec0453a9886a4460aa57b3b.pdf?index=true
  • https://da89e6ec-52f9-4c28-8de8-447a2e923c0c.filesusr.com/ugd/5e5b2a_f490401497d54957a02f8e648f01afb3.pdf?index=true
  • https://1c896d37-30d1-4b4d-9537-98f963aae812.filesusr.com/ugd/865d50_a8d98bc08c084f549804263c5908b04c.pdf?index=true
  • https://uploads.strikinglycdn.com/files/ce52c19b-0d57-4b3d-8cf2-f496a8739640/how_to_edit_gif_image_text_online.pdf
  • https://uploads.strikinglycdn.com/files/28e93042-a8a8-474a-b914-1e9fd973c5e7/netgear_wgr614v7_manual.pdf
  • https://5a995288-ce6f-4ae3-a3e6-14272d8003db.filesusr.com/ugd/7be1cd_182a7dd2007449af897ae8a9f671b695.pdf?index=true
  • https://uploads.strikinglycdn.com/files/3cd5a8e7-4926-4866-8a92-efcd84091fb0/nanajuzazevejizamibedode.pdf
  • https://a9f3490c-def6-45ea-9957-aefa341d54bd.filesusr.com/ugd/84b587_c278cd6e44814527a4d7b4d8458ba5ce.pdf?index=true
  • https://ef9935f7-a918-44a1-999f-f1d50a45e4a7.filesusr.com/ugd/b463f2_cc9e1c437f4b4d53b071e60a33d5f0f3.pdf?index=true
  • https://9907981b-0bc7-4fd3-a434-169f7cdadf42.filesusr.com/ugd/575363_71daa0eda9474c91990a9451fb89b036.pdf?index=true

Open this report in the interactive analyzer, or submit your own file for analysis.