MALICIOUS
130
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 User Execution: Malicious File
The PDF file was flagged as malicious by an ML classifier. It contains embedded URIs and a visual download button, suggesting a social engineering lure to trick the user into downloading a malicious file. The primary malicious URLs point to a PHP script that likely serves the payload.
Machine Learning
- Nyx PDF Classifier malicious score 0.9395
Heuristics 4
-
Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOADThe ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
-
PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARMPDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://uncpbisdegree.com/download3.php?q=vw-cd-radio-rcd-210-manual.pdf In PDF document text
- http://uncpbisdegree.com/download4.php?q=vw-cd-radio-rcd-210-manual.pdfIn PDF document text
- http://www.thejcbgroup.co.uk/vw-vans/used-vans/In PDF document text
- https://www.heritagevwcv.co.uk/special-offers/ex-demo/In PDF document text
- http://www.livingfoodslindaloo.com/service-manual-mitsubishi-fe-180.pdfIn PDF document text
- http://www.myturbodiesel.com/1000q/a6/2010-2011-VW-Golf-TDI-buyers-checklist.htmIn PDF document text
- http://getmanual.com/In PDF document text
- http://installer.com/main.php?page=auxIn PDF document text
- https://www.caraudiocentre.co.uk/product_m-pioneer-sph-da120_p-32433.htmIn PDF document text
- http://vw-club.ru/pages/vin/In PDF document text
- http://vw-club.ru/forums/In PDF document text
- http://vag-codes.info/files/options/vag-option-codes.xlsxIn PDF document text
- http://www.autohifi.no/userfiles/info/Software/Dension/DBU2GEN_konfigurasjonsfiler/DAB-integrering.xlsxIn PDF document text
- http://www.harrisonelectronics.co.uk/servicemanuals/servicemanuals.htmlIn PDF document text
- https://www.stereomag.ro/toate-produseleIn PDF document text
- http://www.readbag.com/un-depts-oip-dp-dp5-02-04In PDF document text
- http://uncpbisdegree.com/1/soaring-starships.pdfIn PDF document text
- http://uncpbisdegree.com/1/tailor-made-jetspeed-driver-user-guide.pdfIn PDF document text
- http://uncpbisdegree.com/1/star-trek-typhon-pact-raise-the-dawn.pdfIn PDF document text
- http://riverside-resort.net/1/unit-8-review-using-pronouns-correctly-answers.pdfIn PDF document text
- http://uncpbisdegree.com/1/solutions-manual-to-accompany-vibration-analysis.pdfIn PDF document text
- http://uncpbisdegree.com/1/subtracting-integers-worksheet-and-answers.pdfIn PDF document text
- http://uncpbisdegree.com/1/solution-manual-of-principle-electromagnetics-by-sadiku-4th-edition.pdfIn PDF document text
- http://uncpbisdegree.com/1/service-manual-for-2000-40-hp-mercury.pdfIn PDF document text
- http://uncpbisdegree.com/1/thanksgiving-is.pdfIn PDF document text
- http://uncpbisdegree.com/1/teacher-s-edition-descubre-3.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.volkswagen.co.uk/need-help/technology/radio-station-logosIn PDF document text
- http://www.volkswagen.co.uk/need-help/owners/DAB-retrospectivelyIn PDF document text
- https://en.wikipedia.org/wiki/TiguanIn PDF document text
- https://www.gumtree.co.za/s-durban-city/polo/v1l3100149q0p1In PDF document text
- https://www.gumtree.co.za/s-kwazulu+natal/v1l3100002p1In PDF document text
- https://www.gumtree.co.za/s-cars-bakkies/jeffreys-bay/v1c9077l3100301p1In PDF document text
- https://www.gumtree.co.za/s-automotive-vehicles/jeffreys-bay/v1c5l3100301p1In PDF document text
- http://www.microsofttranslator.com/bv.aspx?ref=SERP&br=ro&mkt=en-US&dl=en&lp=RU_EN&a=http%3a%2f%2fvw-club.ru%2fpages%2fvin%2fIn PDF document text
- https://www.milanuncios.com/coches-de-segunda-mano/volkswagen-caddy.htmIn PDF document text
- https://view.officeapps.live.com/op/view.aspx?src=http%3A%2F%2Fvag-codes.info%2Ffiles%2Foptions%2Fvag-option-codes.xlsxIn PDF document text
- https://view.officeapps.live.com/op/view.aspx?src=http%3A%2F%2Fwww.autohifi.no%2Fuserfiles%2Finfo%2FSoftware%2FDension%2FDBU2GEN_konfigurasjonsfiler%2FDAB-integrering.xlsxIn PDF document text
- https://es.wikipedia.org/wiki/Volkswagen_upIn PDF document text
- http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409In PDF document text
- http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409In PDF document text
- https://go.microsoft.com/fwlink/?linkid=868922In PDF document text
- http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409In PDF document text
- http://go.microsoft.com/fwlink/?LinkID=617297In PDF document text
- https://fedoraproject.org/wiki/Licensing/LiberationFontLicenseIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00004b0a.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4B0A | 10124 bytes |
SHA-256: fe805d22a143b2d0bb35ba60b701db5bec5d48e72b6bad0d32e6e59ec507e584 |
|||
font_01_sfnt_off00006b42.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6B42 | 6976 bytes |
SHA-256: 12ed795fcd3cffe808b0bc67be463b71e31515acb8646af4cf0ed22831779260 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.