Malicious PDF — malware analysis report

Heuristics 6

• Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
  A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
• PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
  PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
• PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARM
  PDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://dubaipropertyrentals.net/idealow/causemusic.php/mithmncvr_aheYenzm16243617cm.pdf PDF link annotation

  • http://dubaipropertyrentals.net/idealow/causemusic.php/rancdGmo_fxhf16215390JG.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/xbwJv16243735Ql.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/oJmPovPPswQ_lhavrervYxiaxJiu16215666o_.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/xdcvaik16243683Yu.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/dsPukrmJve_o_16215425Y.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/nbbPuhoftrdkPnm_xizrhiwPx16243621hJn.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/fhdrt_fJimuks_eczckrJtY16215215hQ.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/cxelf_nvPtGGkk_kunYz_skdtz16215385ot.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/PJcGdwlrQvrliJllvbloJw_r16243818Gwx.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/P_cJsJ_csvPvGmxhelvhnYYs16215206s.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/PJmkxcfJdnYclfhiuowJoa_16243858h.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/fiddxnolk_YdotnPhkJu16215530Qaee.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/msfmoYbhdQc__sdlhYJuvef16215803fP.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/hYkcbtGeiedtowbeidzumzuorJcvQs16243616kJYl.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/vxlaYdsvdGduxlYavxwhr16243751hokh.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/QbuuJfeJt16216158x.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/xamurmJizcxxxa16216114e.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/QikYcthkhliod_tGuQmniktvvre16215360asc.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/dPu16215975Qur.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/YuPJanuii_oGllt_xizuhvP_P16216149Puhk.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/zYPuGmwnw_16243598sJ.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/kwwPt16215801Pu.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/unu16215353P_h.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/ozbsrmnwJedimktQikau16243677l.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/JzrQYlk16215246t_o.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/chmfbaPcdnasocdocs16243745um.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/atPx16215928zlnv.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/lwPiucreunJaJto16243691dx.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/kuvlmet16215561krm.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/zawadedo16243863wl.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/_QdGGinfdrmraiGb16215635GYs.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/J_rfiP_utknhoQxkPxaskt_QkvaPY16215726QG.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/lzPmxYdhemzGomtoefx_JcGenPkm16243586ix.pdfIn PDF document text
  • http://www.toledano.fr/logs/ebcQx15871618vuvi.pdfIn PDF document text
  • http://cardoor.es/learnfire/hYchkiarotdoYfkx15573292sol.pdfIn PDF document text
  • http://www.toledano.fr/logs/dkYfxkfmsJcntPduJew_Q15872118mebY.pdfIn PDF document text
  • http://mehmanesh.com/easyeffort/truemusic.php/wzhesfxkafmafzPltshefhxYdG_nd15347669xbhd.pdfIn PDF document text
  • http://www.kamilciepienko.pl/wholemoment/isma15377314wG.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/difJ_ih16215639abi.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/hYts16243619e.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/Jadurnnncbkosx_hesehhznmmmov16215914vl.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/bYYecreanbrirtdYcakx16243620vJ.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/lwoalQf16215629vkh.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/szdPlkYvPan16215693v.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/dkcYmccYiJxvchhs16215202u_Go.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/_lcPhPJrPuGxo_YllhlJtoeJw16243847kP.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/YvhosozlPmh_zivhacenrrJd_16215469vQh.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/alPkedhaxwP16215744i.pdfIn PDF document text
  • http://dubaipropertyrentals.net/idealow/causemusic.php/wbtebJnszu_u_vvbGmcJzQr16215706dfr.pdfIn PDF document text

  +72 more URL(s)

Open this report in the interactive analyzer, or submit your own file for analysis.