MALICIOUS
104
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The PDF contains a large number of external links, many of which point to PDF files hosted on various domains, suggesting a link farm or redirection mechanism. The presence of a 'download button' heuristic and the ML classifier's high confidence score indicate malicious intent. The primary URL, http://74-123-72-53.mgwnet.com/uploads/1/3/1/4/131438461/131438461.html#excel+conditional+formatting+second+highest+value, likely serves as the initial lure to a malicious resource.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://74-123-72-53.mgwnet.com/uploads/1/3/1/4/131438461/131438461.html#excel+conditional+formatting+second+highest+value
- http://freecourts.com/uploads/1/3/0/7/130775751/lexivaloxi_piguwaluzu.pdf
- http://vegactive.com/uploads/1/3/0/7/130775431/jigibuziz.pdf
- http://autodiscover.getbjs.com/uploads/1/3/0/5/130543158/65b998c1d93.pdf
- http://www.luxav.co.uk/uploads/1/3/0/5/130588545/9315369.pdf
- http://mustangremediation.com/uploads/1/3/0/8/130874130/fiwus.pdf
- http://centralrefrigerationinc.us/uploads/1/3/0/7/130738955/b39a3.pdf
- http://baselabstudios.com/uploads/1/3/0/6/130620626/07869.pdf
- http://trejoconstruction1954.com/uploads/1/3/0/6/130620603/banigifi_bapilufekoxe_wogebovu.pdf
- http://sgiindia.us/uploads/1/3/0/9/130969204/tonelipexuz_sezusir.pdf
- http://muhammadsrsabry.us/uploads/1/3/0/2/130270898/3037862.pdf
- http://eco-plantravellight.net/uploads/1/3/0/4/130476579/8d01b1b4.pdf
- http://janetiques.net/uploads/1/3/0/2/130270997/nigovutuxuzovifebimu.pdf
- http://candyrodriguez.com/uploads/1/3/0/8/130874398/9fe2207f7.pdf
- http://www.advbrand.com/uploads/1/3/0/6/130620154/rimonujuno_wunubos_feniz.pdf
- http://allan69.com/uploads/1/3/0/7/130775002/4255758.pdf
- http://www.lysandertreumann.com/uploads/1/3/0/6/130621940/nolafenaxakubomaf.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006ad0.bin2673444a25b99dfe8f9d47036d141e13cb6223a0d3326f70d07129f2536ee933 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6AD0 | 7896 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.