MALICIOUS
92
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF contains a suspicious link to an algorithmically generated URL and a visual download button, indicating an attempt to trick the user into downloading a payload. The presence of an encrypted archive further suggests a malicious delivery mechanism. No scripts were extracted from this sample, but the overall pattern points to a downloader or dropper.
Machine Learning
- Nyx PDF Classifier clean score 0.0141
Heuristics 5
-
PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINKPDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
-
Suspicious payload delivered in a password-protected archive high ARCHIVE_ENCRYPTED_SUSPICIOUS_DELIVERYThe archive was password-protected (opened with a common malware-analysis password) and its extracted content is independently suspicious. Password-protecting the wrapper is a deliberate mail-gateway / static-scanner evasion; combined with suspicious content this is the standard malspam delivery pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://na01.safelinks.protection.outlook.com.url.protected-forms.com/XK2N3Z1p1YzNVM3NrNkxhRC9NSFRWbzJhMUxGdnlycjdnck5KcThaSEt1RC9kSFU4alNvYXFJekhiUmkySS9UbWZxMDJoeDh6QmtZUFVzZjltQmVwL1dZZFJGZmovWmVMQ0RLSjB0ZXVwWEp5aVhVREovdjFnVitrYXp4cW4vMmhqSTdRTk42bWgzUTdRZ2pPWUNnNWo1TTZGbkkyRVVKbnFyejlNSkpTVk9IODZycDNuZ1U2R01zT3hGbmZ1enNLcUtpL2VRPT0tLTlFcmtFdEIvejNHVmdYL3AtLWNkZ0FIanpNY0s0RXhuRXlyZWtOMVE9PQ==?cid=3004348240
- https://na01.safelinks.protection.outlook.com.url.protected-forms.com/XVnpLYjRoYW55Q3c5M0VBVjVQQkJzMnQvWjZiZ3p2bHhPZnFiRGVHeWFGaWtIZUV6cEVQWUlVbEZMWWdUSThNRTJ1VDViTlJFY0FxZEhMc21DeC84U1JjRTJNWmt6MTU3NFZYbEU3dUVqdkY3OUpmSUFIb3F6aWJnaStLTkplZ0ZSVkV4MjRPME55eWRtS2pLeVZmZVNZZFkwZkhLcktvVGl2dDl1TkRybXNjVVRXS3RFSEQyUmdqM2RUU0VWekJUT2NiRzJRPT0tLTJlYU41VXdxUHRmMUJLeDktLTJGUXFrK3RYRnJWdnRPWHdYb01QSVE9PQ==?cid=3004348240
- https://na01.safelinks.protection.outlook.com.url.protected-forms.com/XdlpRL0E2aVJwc3dCTFlLd2d3di9RNk1Ockord3pGakl3N05mRDNXcmk5M2I3K0tCRFdzSnUxSlFnU2pFd2VEZWpiWnFPYTNrZnI2cjErM0FEM3NKQStBTVJnSHZ3dWZtUDRvNXI4c1l6UDVNRmpVNHd2cjBzWmR2KzRYSmRHTEpiaTJVRTlGdkJCbFZOVFpKeG5OZkJ6OFJXR2t1am5Pc3FIa3F6NlJKWkhlYWc3Q0VoUDBCd3l4VStJc1pKM0FlUlF5M3FnPT0tLU5yUWtubDU5SjZTbTE1NnMtLWVLbmhjMzlPUVNJdDhVQUlTaHBoS3c9PQ==?cid=3004348240
- https://na01.safelinks.protection.outlook.com.url.protected-forms.com/XdlpRL0E2aVJwc3dCTFlLd2d3di9RNk1Ockord3pGakl3N05mRDNXcmk5M2I3K0tCRFdzSnUxSlFnU2pFd2VEZWpiWnFPYTNrZnI2cjErM0FEM3NKQStBTVJnSHZ3dWZtUDRvNXI4c1l6UDVNRmpVNHd2cjBzWmR2KzRYSmRHTEpiaTJVRTlGdkJCbFZOVFpKeG5OZkJ6OFJXR2t1am5Pc3FIa3F6NlJKWkhlY
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/tiff/1.0/
- http://ns.adobe.com/exif/1.0/
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_cff_off0001928c.bin9340d372ad75a105fdb1627a30e96f892e0dc7d9588c0150cf06b4fa72281cc0 |
pdf-font-stream | PDF embedded font (cff) at offset 0x1928C | 4575 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.