MALICIOUS
74
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.002 Spearphishing Attachment
The PDF contains multiple embedded URLs pointing to a domain that appears to be hosting malicious content. One heuristic specifically flags an external URI within the PDF, suggesting a delivery mechanism for further payloads. The presence of a polyglot child PDF also indicates a layered attack. No scripts were extracted, limiting the ability to determine specific execution behavior.
Machine Learning
- Nyx PDF Classifier clean score 0.0568
Heuristics 4
-
Secondary embedded PDF body has suspicious static findings high POLYGLOT_CHILD_PDF_STATIC_TRIAGEA valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
-
PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARMPDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://dubaipropertyrentals.net/idealow/causemusic.php/nY__sklP_kJrszJs16215619rvo.pdf In PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/PkmwrvJdkvzfxwtxisskerPQvrb16243883fJns.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/_nakJuGozckdGrGehrlhfid16215860Ju.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/ilsvuaG16215894dedu.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/u_kuvYGa16215521ti.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/aueundkG16216128rG.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/mnofYocohsbYooQoorJ_fnJGf16215487b.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/lQvoP_urQePdtemnzidarrsnrPe16243845u.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/ddauJehxtoexz16243770iJd.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/ndQuobshdvrnJJ_rs16243752cm.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/wzb16215682hfin.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/ui_mGnordmurn_wntesQifbeJ_GPl16215423fsf.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/Yofv_eYx_uxfhQnarniQvotbmiJrwY16243793t.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/oeunascQQsexvGbmmmQ_oukePwxo16216137Jxxt.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/ikhnedxrebnzJflitivmG_16216133wmc.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/ePmhh_wdna_xurGsebauQwzm16215346w.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/wt_QzckPwrnGanJl16216143Gxor.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/cwcJvltJYird_rezls16243820zldG.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/idkumvhrrswYt_vna16215366lPe.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/PsuiihcrkYJQwYhe16215906sJ.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/dcavJPdtbbmxettQn16215294k.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/Je_PwGbGsP_sPizhifbdzct16215197QJbt.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/sueuloaPtee16215669esze.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/shmGl__elwrxivcooh16243789iQ.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/uanmtwakfm_hQonPGr16243708b.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/cJeQeaYa16215838amda.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/GmkvrlQPd_wYmznfkv16243732vah.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/dihfJadGYzmrm16243782wac.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/lhkciemcQxhlifo_Gr16215234o.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/ttzvmQGQPmtQPQJaxfQvcYcuYtc_a16215839i.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/P_cJsJ_csvPvGmxhelvhnYYs16215206s.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/oQvbYnGzezbrmoYmwPioieJe16215938z.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/Yfh16215381w.pdfIn PDF document text
- http://www.toledano.fr/logs/mkxaicuidPhfziuP_15871374Y.pdfIn PDF document text
- http://www.toledano.fr/images/keutsf_zzYuJvcGYQGear15872290ol.pdfIn PDF document text
- http://www.toledano.fr/logs/mYJuPGdb15934738cGh.pdfIn PDF document text
- http://www.toledano.fr/logs/xzPazteJYaPu_lhbY15902197nwGw.pdfIn PDF document text
- http://www.technicalanalysisdaily.com/imap/JkY_zwsitdv_aGedm_lzhQmsxl14541160zx.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/wminxhzrtkuntlfQvJfvYf16215357Gahd.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/YGikwvbhacfbfdPi16215411lY.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/sccvevczJrlbrnnGQfPc_uusurte16215925e.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/lGabQva16215455x.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/tdmtxYvPfauJuGbPf16243874zx.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/cJPi_svtzYvJofJ16243868vk.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/eo_znm16215201J.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/hYkcbtGeiedtowbeidzumzuorJcvQs16243616kJYl.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/umYdaQzGankocovrxncfn16243777ms.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/Pabinlmz16215579mQ.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/zsznGJnQtPlunbnrbsPttou16215265ve.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/lxlxGeoQxouwrcsQievGuP16243694mvi.pdfIn PDF document text
+68 more URL(s)
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_005_off0000c1d7.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xC1D7 | 20108 bytes |
SHA-256: ebce71fbb0ca4a7f18b8c7dd0da031d05bb605124eb78e006aab615192b0f208 |
|||
stream_015_off0001f445.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x1F445 | 19900 bytes |
SHA-256: 13464fe37726f5d64ae356c2892757608a65efa366664e6a0be4cd80f1683001 |
|||
font_01_sfnt_off0000f805.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF805 | 19964 bytes |
SHA-256: 5154a7c8cf7a9b55c2f939ad6a4a8f8327cd6552b9f68a87c49d10dfc747eaa8 |
|||
font_02_sfnt_off00012dcb.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12DCB | 20828 bytes |
SHA-256: 66ee5a421be874c2bf64758e212dcdc74f7e5fbd5b562db26553446e87a084f1 |
|||
polyglot_child_pdf_off00016976.pdf |
polyglot-child-pdf | Secondary PDF body inside pdf container at offset 0x16976 | 77685 bytes |
SHA-256: e7767bf6d09bb98b7c1e8696250dacc486d8b5af9e0a3d321680456950461b3a |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.