Malware Insights
The PDF contains a large number of external links, many of which point to other PDF files hosted on various domains. This pattern is indicative of a link farm, often used to manipulate search engine results or to distribute malicious content. The primary URL extracted, 'http://thesingbabysingshow.com/uploads/1/3/1/3/131379738/131379738.html#how+to+repair+electric+lazy+boy+recliner+mechanism', suggests a lure related to repair guides, which is a common tactic for phishing or malware distribution. No scripts were extracted, and the document body was heavily obfuscated, but the heuristic firings strongly suggest a malicious intent related to URL redirection and content hosting.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 3
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://thesingbabysingshow.com/uploads/1/3/1/3/131379738/131379738.html#how+to+repair+electric+lazy+boy+recliner+mechanism
- http://mail.connallyband.com/uploads/1/3/0/2/130289369/56ca4c.pdf
- http://www.synergyassistllc.com/uploads/1/3/0/7/130775465/fbc56294fd21357.pdf
- http://daphnelpostssacn.com/uploads/1/3/0/3/130323377/3fdc2791.pdf
- http://lifebyarchitecture.net/uploads/1/3/0/8/130813618/5207229.pdf
- http://cchandymanservices.net/uploads/1/3/1/0/131070441/punuf.pdf
- http://modtran7.net/uploads/1/3/0/8/130873781/rutam.pdf
- http://littlesilverems.com/uploads/1/3/0/4/130435795/9269929.pdf
- http://peopleswedding.com/uploads/1/3/0/9/130969735/3391681.pdf
- http://conscienceskinlabs.com/uploads/1/3/0/7/130775130/4961044.pdf
- http://michlexcareservices.com/uploads/1/3/0/4/130488101/a53a58fb7d3a01.pdf
- http://www.ourarvoshift.com.au/uploads/1/3/0/6/130621480/masedizav-riletagaxabe-nitugas.pdf
- http://yourvolution.com/uploads/1/3/0/4/130489082/06ba1089.pdf
- http://hostmaster.cheshirebuildinglimited.com/uploads/1/3/0/7/130739897/8303012.pdf
- http://heirfi.com/uploads/1/3/0/2/130272575/jasuragomosexutowoj.pdf
- http://rvayesatlabs.com/uploads/1/3/0/2/130289668/gusuwuralapoz.pdf
- http://tankchairextreme.com/uploads/1/3/1/3/131380126/281389.pdf
- http://carolynwiese.com/uploads/1/3/0/9/130969845/496d79a0bd57315.pdf
- http://rustlersstarvalley.com/uploads/1/3/0/8/130874565/4112008.pdf
- http://mahmudhamdiassociates.com/uploads/1/3/0/5/130538838/32dba0866fc4c.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00007e14.bin5278024270de67705d3a5034a26ce2f5e1d9e53f50705cc770b2190155f81e7b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7E14 | 6728 bytes |
font_01_sfnt_off00008eb7.bin5d0c6923449eb7d165d6c8cc5931c90525cc75f52c62e38b2f3cc46f92f21c68 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8EB7 | 8012 bytes |
font_02_sfnt_off0000adf1.bin736cd2d33175a5a13ef050b14347fdc238d98c9b1a4a011ca05e63a00a87de6d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xADF1 | 1556 bytes |
font_03_sfnt_off0000b601.bina2aed6e222c3e59cd783f8eaa8571a4572603d2d1d4325508d6783068674e767 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xB601 | 16328 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.