MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
This PDF document contains numerous embedded URLs that point to a large number of other PDF files hosted on various domains. The heuristic 'PDF_SEO_LINK_FARM' indicates this is likely an attempt at SEO manipulation or to distribute malicious content through a link farm. While no scripts were directly extracted, the presence of many external links suggests a potential for further malicious activity or redirection.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://74-123-75-206.mgwnet.com/uploads/1/3/0/5/130538891/130538891.html#example+of+a+cover+letter+for+a+financial+job
- http://askwiseguys.com/uploads/1/3/0/4/130483856/jojado.pdf
- http://foreclosureprofits.ca/uploads/1/3/0/5/130538996/2151462.pdf
- http://www.1stswagexperiment.com/uploads/1/3/0/2/130287278/xotolosido_banebibonilizuz_bojati_moxavotuwawewek.pdf
- http://shroudsoft.shroudsoft.com/uploads/1/3/0/5/130538841/giwasegiguw.pdf
- http://oxfordnaa.com/uploads/1/3/0/5/130540453/9748685.pdf
- http://lucernemobilehomepark.com/uploads/1/3/0/4/130476649/nozobugeva-mokitizojabozij-joguxo-jojivakiweboto.pdf
- http://sbga52.sbgame.net/uploads/1/3/0/6/130622076/7123861.pdf
- http://www.sysadmindojo.com/uploads/1/3/0/6/130639831/918b349ca433.pdf
- http://martysports.com.au/uploads/1/3/0/2/130289541/518241.pdf
- http://bellacalore.com/uploads/1/3/0/7/130775652/murolapewoto_nakuf_rejaximaxisinof.pdf
- http://phase2concerts.com/uploads/1/3/0/4/130483981/kowekuvirelaba.pdf
- http://annabelchiarelli.org/uploads/1/3/0/5/130539218/4332370.pdf
- http://bigtexasphoto.com/uploads/1/3/0/8/130814718/5daf3afe25f7.pdf
- http://smalltubeparts.com/uploads/1/3/0/5/130589276/6de94.pdf
- http://radioclarendon.com/uploads/1/3/0/5/130544385/nopafixebanuku.pdf
- http://gamedayfanclub.com/uploads/1/3/0/9/130969231/tufasimosa.pdf
- http://theartofjuliette.com/uploads/1/3/0/5/130589179/9939450.pdf
- http://aqzsystems.us/uploads/1/3/0/5/130545447/0f42cbe00df83.pdf
- http://mitchellwenkus.com/uploads/1/3/0/6/130605083/5338609.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000072be.bin64f7c133ba296371c6f91997a14ea9216e0fdf6bbf6205f38354ab9e1afeee49 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x72BE | 8680 bytes |
font_01_sfnt_off000093fd.bin779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x93FD | 16036 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.