MALICIOUS
136
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a large number of external links to other PDF files hosted on domains that appear to be part of a link farm. The ML classifier also flagged this PDF as malicious. The presence of numerous SEO-optimized URLs suggests a campaign to manipulate search engine results or distribute malicious content through these links.
Machine Learning
- Nyx PDF Classifier malicious score 0.9970
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINKPDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://barrybbritton.com/uploads/1/3/0/5/130551089/130551089.html#condiciones+de+frontera+para+una+viga+empotrada
- http://drainclogremovers.com/uploads/1/3/0/3/130323624/tikakumebunuta.pdf
- http://bayanillc.com/uploads/1/3/0/6/130604433/lodoxirenis.pdf
- http://homebuyeredu.net/uploads/1/3/1/1/131164355/kexobojisaxedop-busagofakel-xoras-wavabumabulobob.pdf
- http://www.toclisa.com/uploads/1/3/0/8/130873828/fozasinugire.pdf
- http://www.charlesgerard.info/uploads/1/3/0/7/130740412/fixugutez.pdf
- http://incontextapp.com/uploads/1/3/0/2/130289448/90923984.pdf
- http://www.prwk.us/uploads/1/3/0/7/130738805/2133473.pdf
- http://www.gamerscashout.com/uploads/1/3/0/4/130483513/44cfa2b0.pdf
- http://dres-kitchen.com/uploads/1/3/0/4/130483817/3700503.pdf
- http://healimmune.com/uploads/1/3/0/4/130488332/pigusolakofag_zuzevi_xifitadijewu.pdf
- http://legendsdarkamusements.com/uploads/1/3/0/5/130550824/mepapijavurixede.pdf
- http://amurdc.com/uploads/1/3/0/8/130874639/9737069.pdf
- http://dribblefast.com/uploads/1/3/0/3/130323506/85934ede7597df.pdf
- http://lippincottllp.com/uploads/1/3/0/6/130639588/db5f0b1c9fdfc23.pdf
- http://southerncottongoldenretrievers.com/uploads/1/3/0/6/130604815/tovuwefova.pdf
- http://rubbntugg.com/uploads/1/3/0/4/130489800/zosuf_seveneguwavona.pdf
- http://www.sera-smith.com/uploads/1/3/0/9/130969546/jifonu_wunexejale.pdf
- http://wobe-photo.com/uploads/1/3/0/3/130379274/829590.pdf
- http://356bunkerhillst2.com/uploads/1/3/0/6/130604637/8135fd.pdf
- http://mobilpapershredding.com/uploads/1/3/0/3/130323116/8750516.pdf
- http://adamrichardsteachingportfolio.com/uploads/1/3/0/6/130620982/ace69ad6df220f.pdf
- http://hostmaster.handmadebysewyellow.co.uk/uploads/1/3/0/7/130740323/lapes.pdf
- http://denequia.com/uploads/1/3/0/2/130272472/lijorutireg.pdf
- http://nightbeforechristmasclassicedition.com/uploads/1/3/0/3/130313148/fddd4a38a8c58.pdf
- http://www.thdl.org/http://www.thdl.org/Tibetan
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.stixfonts.orghttp://www.micropress-inc.comAs
- http://www.stixfonts.org/user_license.html
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://www.gnu.org/licenses/
- http://www.gnu.org/copyleft/gpl.htmlTibetan
- https://fedoraproject.org/wiki/Licensing/LiberationFontLicense
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
- http://scripts.sil.org/cms/scripts/page.php?site_id=nrsi&id=OFL
Extracted artifacts 7
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000d3ab.binb12ba223109957b1ef6033c99d84c89a2c2a92c3f0e0334ab6c460efa1de7f05 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD3AB | 8884 bytes |
font_01_sfnt_off0000e4f2.binf3cece92a48ac5434150554f29dc589a79fe72ecac191744e5a08473dd841398 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE4F2 | 11684 bytes |
font_02_sfnt_off00010d8a.bin69dc14e261cde4003ec7434edd0abfe32f568ac7595341782954222b081dc460 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10D8A | 1492 bytes |
font_03_sfnt_off0001159b.bina52024394f6d06806b05ac61f61350ad37ca4881925508701894efd0f1da3415 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1159B | 1392 bytes |
font_04_sfnt_off00011d73.bin9e0d1d2909a66d4fae37c2cde334eaf0c2ca163b21e96819c43c715e06edb92a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11D73 | 5000 bytes |
font_05_sfnt_off00012e0b.binb495c9e0afb1a0099f9cd87de99c98bdffab9d6e4593fc0c2f2161f8c2359006 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12E0B | 16204 bytes |
font_06_sfnt_off00014360.bin043f89cdc56a6d687dbde9ca708df5d68a479f0504edd5c2f1c61766139dec50 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x14360 | 10532 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.