MALICIOUS
136
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains a large number of external links, many of which point to other PDF files on unrelated domains. This behavior is indicative of a link farm or SEO manipulation tactic, potentially used to distribute malicious content or pages. The ML classifier strongly flagged this PDF as malicious, supporting the assessment of a malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINKPDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://klokkeraadgivning.com/uploads/1/3/0/7/130775075/130775075.html#akhiyan+de+kol+teri+video+song
- http://realestatefilming.com/uploads/1/3/0/2/130289347/d992601af89fd2.pdf
- http://dorothynellcraft.net/uploads/1/3/0/8/130874339/53c813d.pdf
- http://uconnpremedicalsocietynewsletter.com/uploads/1/3/1/6/131607889/7959669.pdf
- http://fleshandbloodfantasy.com/uploads/1/3/0/4/130483194/wexot.pdf
- http://footplayusa.com/uploads/1/3/0/8/130873863/xogatemusaf_fotiwo_rawavesudeno_xomuxoripala.pdf
- http://rosscreekstore.com/uploads/1/3/1/4/131437725/davowebikezar.pdf
- http://mysimplyblingfor5.com/uploads/1/3/1/4/131453397/ranelajetezosiz.pdf
- http://feedinghelpinggeorgians.org/uploads/1/3/1/6/131637896/ragirazanatanizu.pdf
- http://vitalvantage.com/uploads/1/3/0/6/130621345/safopoxuno_lukuzu_xogurilesewo.pdf
- http://thebeautymamashop.com/uploads/1/3/1/0/131070497/9f89a.pdf
- http://lalunasoul.com/uploads/1/3/0/8/130874570/1297825.pdf
- http://flowm.io/uploads/1/3/1/4/131438135/1543667.pdf
- http://performancelecture.com/uploads/1/3/0/2/130271187/jixogig.pdf
- http://gilcrest-center.com/uploads/1/3/1/4/131454098/xinunava.pdf
- http://discipleshiptraining.org/uploads/1/3/0/7/130776279/0bd2b91bb90d.pdf
- http://ape-ron.com/uploads/1/3/0/3/130323173/f3ba570fc.pdf
- http://centraldirectms.com/uploads/1/3/0/5/130590661/e5c05.pdf
- http://facespromotions.org/uploads/1/3/0/9/130968973/gunelazasakoda.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005a9f.bindabaff2be579b738cb3d274e211a592e2dfeee730b0cc13a86f6ec3e697874d2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5A9F | 7592 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.