MALICIOUS
78
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file contains an embedded URI pointing to a suspicious external resource. This URI is likely intended to trick the user into downloading a secondary malicious PDF. The document body is heavily obfuscated, preventing a clear understanding of its specific lure, but the presence of the external link strongly suggests a social engineering attempt to deliver further malware. No scripts were extracted from this sample.
Machine Learning
- Nyx PDF Classifier clean score 0.0566
Heuristics 6
-
Secondary embedded PDF body has suspicious static findings high POLYGLOT_CHILD_PDF_STATIC_TRIAGEA valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
-
PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARMPDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILEDThe cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSEOF. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://dubaipropertyrentals.net/idealow/causemusic.php/ozaiaGrwrmsJYGhheuorrPwJQd16215447ese.pdf PDF link annotation
- http://dubaipropertyrentals.net/idealow/causemusic.php/uanmtwakfm_hQonPGr16243708b.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/ovo_ebhhzdlG16216121ul.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/PfddeP16215582bdJ.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/zozeeYesGYcioYG16215280l_m.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/buwPlabt_ki_sl16215781ewQf.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/QdnGsYuhkevGhQwmkhPokJxdr16215716b.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/xvow16215559J.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/hiiPnJrvvzzvQxhmkGlvelvds16215427Qf.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/zezthcQPcaiQovoaktsPfoQounsh16215923bm.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/uuiurihJsGek16215236_mfo.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/zceblnv_16215949o.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/JYnmmGdzPYfwmPvctfosnwmQz16215661rP.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/bcohxhJdarxanrbnwbhYrfsPtxxcm16215910Qs.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/tvfibuhkxkdtwuxYrQemPmxc16243867vn.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/_cxlJ16215311c.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/aiPvfi_rasoQinm16243709oQib.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/uk_atzwlb16243678dm.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/_rQswYQdie_tPuGllz16215476sm_d.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/zhidhtk_rds_mrhxxwxt_cem16215565Jw.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/wPh_cehttldrPumaxsYd_lkl16243879Jvhv.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/wudhmwG_YvwvwkePu16216148o.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/lntnfGtibmYri16215462Qrth.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/iemxJiYxvQhJrbPQucvev_Gs_so16243809iezv.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/eGxP16215475uueY.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/fihzofohkodauQQairrulcrac_w16215759nwc_.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/e_Juro16215361u.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/w_hfGhhaze_16215719kcl.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/izGPweJuoulm16243710ht.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/zeoioQP16215707n.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/dkcYmccYiJxvchhs16215202u_Go.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/roJtbxkY_w16243749tYzo.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/zvevGhoYscxnvki_b16243655Jb.pdfIn PDF document text
- http://www.citrusheightsplumbing.net/wp-includes/dhuGdwuGrkbbn15533787tb.pdfIn PDF document text
- http://tandemparaglading.com/maket/vnvcrckrYdixoGwemkxfelwlltwzG15924115zJaP.pdfIn PDF document text
- http://www.citrusheightsplumbing.net/tmp/Gmem_a15654524_z.pdfIn PDF document text
- http://apbmchaplain.com/growstep/kaGbeu16115874Jhb_.pdfIn PDF document text
- http://healthlink.org.au/dealactual/QiGtoPevsuQaovoovPbeGaikGGza15644657n.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/rvGnmklohzQzwYwzYJseaovQxdxea16243819_w.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/QJhJmGPhGxrodcmanxouwtG16243821Yeh.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/PbzQlYbekfJwbeuhwsPrhmdie16243726tQ.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/abnJmPkGmPezsvxYzYkJtn16215310h.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/bwGbJzctssJi16243755_Qa.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/QmYzfkxGto16243674J.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/mQJwYcw16215301sQ.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/lzeYQmidzcGcJsxozrYhcbGYm_16215536r.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/kmm16215438QGt.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/ivwrfaG16243647Pzkt.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/mfnwQrP_xzr__Pts__zrfarszrzneo16215226oll.pdfIn PDF document text
- http://dubaipropertyrentals.net/idealow/causemusic.php/wadaPcuzwfdvP16215600ch.pdfIn PDF document text
+67 more URL(s)
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_005_off0000b856.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xB856 | 20012 bytes |
SHA-256: fde4a56613f3142d0275d401dfd2e4fe2e20ab986bc3024ccba69dce85ed2833 |
|||
stream_015_off0001f150.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x1F150 | 20308 bytes |
SHA-256: 1cac92e4f225aa7afcd080642d5078839ef22260c31c3862a28b8de1d3ce036f |
|||
font_01_sfnt_off0000ee42.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xEE42 | 19964 bytes |
SHA-256: 5154a7c8cf7a9b55c2f939ad6a4a8f8327cd6552b9f68a87c49d10dfc747eaa8 |
|||
font_02_sfnt_off00012408.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12408 | 20828 bytes |
SHA-256: 66ee5a421be874c2bf64758e212dcdc74f7e5fbd5b562db26553446e87a084f1 |
|||
polyglot_child_pdf_off00015fa0.pdf |
polyglot-child-pdf | Secondary PDF body inside pdf container at offset 0x15FA0 | 79830 bytes |
SHA-256: 2a3e727345c4e58a726a6d4845391ea43bd81e1b5b2f91139fc2a0d4a0774f9d |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.