MALICIOUS
136
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
This PDF document exhibits characteristics of a link farm, containing a large number of external links to other PDF files. The heuristic 'PDF_SEO_LINK_FARM' strongly suggests this is not benign content. The presence of numerous generated URLs points towards an attempt to manipulate search engine results or distribute further malicious content, likely as a component of a larger phishing or malware distribution scheme.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINKPDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://adsl-63-204-18-4.benefitplans.org/uploads/1/3/0/7/130776166/130776166.html#imagenes+cachorros+pastor+aleman+negro+solido
- http://facesoftheforgotten.com/uploads/1/3/0/5/130588461/69bf0.pdf
- http://bacsbooster.com/uploads/1/3/1/0/131070469/1604501.pdf
- http://advancecargo.net/uploads/1/3/0/7/130739552/5024387.pdf
- http://lefkasluxuryvillas.com/uploads/1/3/0/8/130814200/1023084.pdf
- http://kp4pmd.com/uploads/1/3/0/5/130588182/afe89a.pdf
- http://tampabayendo.net/uploads/1/3/0/8/130814285/lokolugixi_koxuxaw.pdf
- http://thirtytoes.org/uploads/1/3/0/4/130483373/nejegejumuwilor_govama.pdf
- http://lismorecreativetilesandmosaics.com/uploads/1/3/0/6/130639611/zasuzerorep_wifadopo_tasimaxaluj_nulovituzara.pdf
- http://divinetruthspiritualtemplechurch.org/uploads/1/3/0/4/130483507/e1d7abc789.pdf
- http://windycitywinegirl.com/uploads/1/3/0/7/130739392/kufapodififepun_xogezekenitato.pdf
- http://sexybaubles.com/uploads/1/3/0/8/130873973/61d4594.pdf
- http://echoywang.com/uploads/1/3/0/7/130774977/4541349.pdf
- http://engagemealprep.com/uploads/1/3/1/3/131379206/mixopubupax.pdf
- http://sheilawrapsstones.com/uploads/1/3/0/9/130969566/3941173.pdf
- http://barkume.biz/uploads/1/3/0/2/130271187/4558930.pdf
- http://lipscombclothesline.org/uploads/1/3/0/7/130775821/nudawabel.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006e4f.bin74e0ba50a86c17a9abccdb87625997b60492ff0e5c88b013bd6dec2833d22d06 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6E4F | 8836 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.