MALICIOUS
136
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The sample is a PDF document that contains numerous external links, many of which point to other PDF files with numeric slugs, suggesting a link farm for SEO poisoning. One embedded URL, 'http://xpertitconsultingllc.com/uploads/1/3/0/6/130603946/130603946.html#jsc+full+marksheet+2018+rajshahi+board', is particularly suspicious and aligns with the 'MFA / one-time-code harvesting lure' heuristic. This indicates the document is likely part of a phishing campaign designed to steal credentials or session tokens.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
MFA / one-time-code harvesting lure high SE_MFA_LUREDocument asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://xpertitconsultingllc.com/uploads/1/3/0/6/130603946/130603946.html#jsc+full+marksheet+2018+rajshahi+board
- http://stoneedgesharpening.net/uploads/1/3/0/7/130775411/turujinek_berepogegevir_jamax.pdf
- http://valleyexpresslimo.com/uploads/1/3/1/4/131406562/gikovuke_xuwevigaropefit.pdf
- http://southcoastconstructioninc.com/uploads/1/3/0/6/130639678/witivogobozud.pdf
- http://lonerocknigerians.ca/uploads/1/3/0/3/130312952/sarevolikeveroboket.pdf
- http://mycbd4life.com/uploads/1/3/0/8/130813144/dea179256e5.pdf
- http://kindredthreadstx.com/uploads/1/3/0/6/130621985/rumokesovudobivinos.pdf
- http://blandonexporters.com/uploads/1/3/0/2/130270826/gokegudoduna.pdf
- http://kaileecristinafilm.com/uploads/1/3/0/7/130775310/luwovuzojusa.pdf
- http://vivians94.com/uploads/1/3/0/3/130379172/98957007b.pdf
- http://brianthegaul.com/uploads/1/3/0/3/130379138/934950.pdf
- http://eboardresults
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://fedoraproject.org/wiki/Licensing/LiberationFontLicense
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000697b.bin66e5dd229351c19482cc3ca1e9a51cf8e4ef8752f81ee2c69d78cfc3e9d6cc36 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x697B | 7992 bytes |
font_01_sfnt_off00008899.bind907c570f1f8f2d62f38d7529dbf77de46ca3a1917ec53aca7a78bae59874b04 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8899 | 2616 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.