MALICIOUS
94
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF document contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various domains. The document body, though partially corrupted, contains text related to downloading movies, suggesting a lure to a link farm. The ML_NYX_PDF_MALICIOUS heuristic also strongly indicates malicious intent. The primary attack pattern involves redirecting users to a network of potentially malicious websites.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 4
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://bbpapaveri-e-papere.com/uploads/1/3/0/6/130605421/130605421.html#descargar+peliculas+de+barbie+gratis+en+espa%C3%B1ol+completas
- http://spennconrail.com/uploads/1/3/0/5/130588865/jiwumu-pumeju-jebagaru-numevamo.pdf
- http://www.puffdragan.co.uk/uploads/1/3/0/2/130287506/63bb78a0d47abeb.pdf
- http://kevinaxx.com/uploads/1/3/0/6/130621206/1562449.pdf
- http://randyslounge.com/uploads/1/3/0/5/130589077/8108305.pdf
- http://mta-sts.mx.cypresswoodspetcrematory.com/uploads/1/3/0/2/130272631/7f0372.pdf
- http://credenceadvisory.org/uploads/1/3/0/6/130620747/6487454.pdf
- http://gretcheneveretthardwareandhome.com/uploads/1/3/0/6/130620313/acacb103c.pdf
- http://thisisthehype.com/uploads/1/3/0/7/130775366/4748149.pdf
- http://thekingdumb.com/uploads/1/3/0/2/130289441/3318408.pdf
- http://longhorncaverns.co/uploads/1/3/0/5/130588509/34679.pdf
- http://litem.net/uploads/1/3/0/2/130273842/rovofazepax-nopotabawu.pdf
- http://plumbingsantaclarita.net/uploads/1/3/0/5/130551132/2b1e418bcc4.pdf
- http://morristileva.com/uploads/1/3/0/6/130639152/5fca85ed44d8.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006094.bin1957428794578a072b8983e864e5701b52391162abfb2d6d14c6295fa8a16687 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6094 | 6444 bytes |
font_01_sfnt_off00007056.binb1f8b2dd9f63738457e8033d555f7f0df4e8eb59ca890b8878f37bed100c3024 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7056 | 8384 bytes |
font_02_sfnt_off00008f13.bin50224c6c483bfa86a10f62efd7baa2c756f8036c0a911ebd537387e21b2fb6f3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8F13 | 2732 bytes |
font_03_sfnt_off000098aa.binf6673f5733dc8d045aa2920187775bd5043727a39b447105fc8e8032f1339a7a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x98AA | 4868 bytes |
font_04_sfnt_off0000a9d8.bine8886f61ae851d38ffc48ea642994614862ccb3c57a59051a35d7ffc9edb78ab |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA9D8 | 17080 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.