MALICIOUS
94
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a large number of embedded external URLs, a technique commonly used for SEO spam or to redirect users to malicious sites. The ML classifier strongly flagged this PDF as malicious, and the presence of a link farm heuristic further supports this assessment. The document body text, though garbled, contains a URL that appears to be a lure for game downloads, suggesting a deceptive intent.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://pbjconstructionllc.com/uploads/1/3/0/6/130639306/130639306.html#pokemon+perla+descargar+espa%C3%B1ol+para+pc
- http://oldguardofwhiteplains.org/uploads/1/3/0/2/130271038/fexop.pdf
- http://lighthousehrsolutionsllc.com/uploads/1/3/0/6/130605476/nekumok.pdf
- http://suchiraconstructions.com/uploads/1/3/1/3/131379382/lodapanek_pufon_xebojomeliratof_nalitita.pdf
- http://portcityheart.net/uploads/1/3/0/7/130775974/fcf217.pdf
- http://brighthorizonschildcare.com/uploads/1/3/0/6/130639294/4f4dd41564e61.pdf
- http://gimpman.com/uploads/1/3/0/5/130538997/pedofabib.pdf
- http://buycitations.co/uploads/1/3/0/6/130603815/subefedarewafeg.pdf
- http://partnerfit.co/uploads/1/3/0/3/130313166/tulapiga-boluxise.pdf
- http://pushthenote.com/uploads/1/3/0/9/130968960/1204946.pdf
- http://heisenwholesale.com/uploads/1/3/0/4/130488574/4092814.pdf
- http://tylerstracks.com/uploads/1/3/0/5/130588988/9814836.pdf
- http://timesharememe.com/uploads/1/3/0/3/130312920/jepuvokizok_fudiliti_wijikuwojipil_runifonu.pdf
- http://purplepipes.co/uploads/1/3/0/7/130739043/5496229.pdf
- http://lisafranditore.com/uploads/1/3/0/6/130620728/6292269.pdf
- http://ppmrktg.com/uploads/1/3/1/3/131380388/xuzitowax.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006eb0.bin165dde7229b929ce477e2212dff53c30cd6d36b103e4ecb61eea8db77e4a10c4 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6EB0 | 9476 bytes |
font_01_sfnt_off00008feb.bin26bb334c0f594006ca3b3bee62bd7a330ce93095e397180f1e65823175f08c04 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8FEB | 6604 bytes |
font_02_sfnt_off0000a561.bin779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA561 | 16036 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.