MALICIOUS
96
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains numerous external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or redirection scheme. The embedded URL `http://mynaturalplace.com/uploads/1/3/0/6/130621495/130621495.html#how+to+set+slide+to+unlock+on+iphone+5s` and the other 29 URLs point to various PDF files, indicating a coordinated effort to distribute content or manipulate search engine results. The ML classifier strongly flagged this PDF as malicious.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 4
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://mynaturalplace.com/uploads/1/3/0/6/130621495/130621495.html#how+to+set+slide+to+unlock+on+iphone+5s
- http://marinuskosterfoundation.org/uploads/1/3/0/2/130288567/7835411.pdf
- http://x2notcovers.com/uploads/1/3/0/2/130272850/gijudebotewejamowav.pdf
- http://thegrayorganization.org/uploads/1/3/1/1/131164043/96816a6ea.pdf
- http://gen3painting.com/uploads/1/3/0/2/130289460/d83d47a.pdf
- http://dutchiesfreshmarket.com/uploads/1/3/0/6/130621507/7920336.pdf
- http://mysunfast3200.com/uploads/1/3/0/6/130621031/bodusuniron-tojimavexa-rikokik.pdf
- http://friendsofsevierpark.net/uploads/1/3/0/3/130313657/2487018.pdf
- http://wordofthecrossministries.com/uploads/1/3/1/0/131070051/zoretogegiri.pdf
- http://rokowooncentrum.nl/uploads/1/3/0/4/130476101/povuponavifo.pdf
- http://oilfeildclothing.com/uploads/1/3/0/6/130621412/c15b55.pdf
- http://signaturelandscapeanddesign.com/uploads/1/3/1/3/131380539/welinoxozide.pdf
- http://jenferdinandsen.com/uploads/1/3/0/9/130969375/dukagupubaz.pdf
- http://conunacanoninmano.com/uploads/1/3/0/5/130538839/lojafurapig.pdf
- http://wine-oh-tours.com/uploads/1/3/0/3/130323127/4975183.pdf
- http://edgeproductions.ca/uploads/1/3/0/6/130639231/2303783.pdf
- http://martinhandmadeboots.com/uploads/1/3/0/5/130589412/gelatol_pabig.pdf
- http://pco-lite.com/uploads/1/3/0/7/130775543/tutekijiji.pdf
- http://thebusybabyboutique.net/uploads/1/3/0/7/130738796/6038670.pdf
- http://offishallifestyle.com/uploads/1/3/0/7/130740414/zegimovipo.pdf
- http://bigtimeradio.co/uploads/1/3/0/6/130621666/3743584.pdf
- http://shekouarcheryclub.com/uploads/1/3/1/0/131070761/6024230.pdf
- http://moorereplacements.net/uploads/1/3/0/2/130291640/tofegetobisogovuke.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000075b2.bin2812629bb51e10010c1c46b44b4819433f2834a3a428fb2414548a19f7de14cd |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x75B2 | 7884 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.