MALICIOUS
116
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious Link
The PDF file contains a critical heuristic firing indicating a direct link to a payload. The document body and extracted URLs predominantly reference payment services and related Wikipedia articles, suggesting a lure to disguise a malicious download. The presence of embedded files further supports the payload delivery mechanism. The ML classifier also flagged this PDF as malicious with high confidence.
Machine Learning
- Nyx PDF Classifier malicious score 0.8941
Heuristics 6
-
PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINKPDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.pdfill.com)/S/URI
- http://www.reportlab.com)/Title(\(anonymous\))/Keywords(mwlib
- http://www.pdfill.com
- http://en.wikipedia.org/w/index.php?title=Payment_service_provider)/S/URI
- http://en.wikipedia.org/w/index.php?title=24x7payments.com)/S/URI
- http://en.wikipedia.org/w/index.php?title=AlertPay)/S/URI
- http://en.wikipedia.org/w/index.php?title=Barclaycard_ePDQ)/S/URI
- http://en.wikipedia.org/w/index.php?title=Beenz)/S/URI
- http://en.wikipedia.org/w/index.php?title=Bucks_Net)/S/URI
- http://en.wikipedia.org/w/index.php?title=CyberBucks)/S/URI
- http://en.wikipedia.org/w/index.php?title=DigiCash)/S/URI
- http://en.wikipedia.org/w/index.php?title=CyberCoin)/S/URI
- http://en.wikipedia.org/w/index.php?title=Datacash)/S/URI
- http://en.wikipedia.org/w/index.php?title=ECash)/S/URI
- http://en.wikipedia.org/w/index.php?title=Elavon)/S/URI
- http://en.wikipedia.org/w/index.php?title=FasterPay)/S/URI
- http://en.wikipedia.org/w/index.php?title=Firstgate)/S/URI
- http://en.wikipedia.org/w/index.php?title=Flooz)/S/URI
- http://en.wikipedia.org/w/index.php?title=Heidelpay)/S/URI
- http://en.wikipedia.org/w/index.php?title=HSBC)/S/URI
- http://en.wikipedia.org/w/index.php?title=IKobo)/S/URI
- http://en.wikipedia.org/w/index.php?title=IKP)/S/URI
- http://en.wikipedia.org/w/index.php?title=LibertyReserve)/S/URI
- http://en.wikipedia.org/w/index.php?title=MagicMoney)/S/URI
- http://en.wikipedia.org/w/index.php?title=Microeuro)/S/URI
- http://en.wikipedia.org/w/index.php?title=MicroMint)/S/URI
- http://en.wikipedia.org/w/index.php?title=Micromoney)/S/URI
- http://en.wikipedia.org/w/index.php?title=MilliCent)/S/URI
- http://en.wikipedia.org/w/index.php?title=Mondex)/S/URI
- http://en.wikipedia.org/w/index.php?title=Moneybookers)/S/URI
- http://en.wikipedia.org/w/index.php?title=MPAY24)/S/URI
- http://en.wikipedia.org/w/index.php?title=NetCash)/S/URI
- http://en.wikipedia.org/w/index.php?title=Ouroboros)/S/URI
- http://en.wikipedia.org/w/index.php?title=Pago)/S/URI
- http://en.wikipedia.org/w/index.php?title=PayMe)/S/URI
- http://en.wikipedia.org/w/index.php?title=PayPal)/S/URI
- http://en.wikipedia.org/w/index.php?title=PayPay)/S/URI
- http://en.wikipedia.org/w/index.php?title=PayPoint.net)/S/URI
- http://en.wikipedia.org/w/index.php?title=PaySafeCard)/S/URI
- http://en.wikipedia.org/w/index.php?title=PayYourRent.com)/S/URI
- http://en.wikipedia.org/w/index.php?title=PayXpert)/S/URI
- http://en.wikipedia.org/w/index.php?title=PayWord)/S/URI
- http://en.wikipedia.org/w/index.php?title=PeerTransfer)/S/URI
- http://en.wikipedia.org/w/index.php?title=Peppercoin)/S/URI
- http://en.wikipedia.org/w/index.php?title=Qunits.net)/S/URI
- http://en.wikipedia.org/w/index.php?title=RBS_WorldPay)/S/URI
- http://en.wikipedia.org/w/index.php?title=Realex)/S/URI
- http://en.wikipedia.org/w/index.php?title=RentPayment)/S/URI
- http://en.wikipedia.org/w/index.php?title=Sage_Pay)/S/URI
- http://en.wikipedia.org/w/index.php?title=Safecharge)/S/URI
+65 more URL(s)
Extracted artifacts 7
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_file_obj0095.bind81baa73e490e4cb879e13927cacd1dd1be37524a37eac51603e15117c578777 |
pdf-embedded-file | PDF EmbeddedFile object 95 at offset 0x13682 | 84 bytes |
embedded_file_obj0096.bin24c130f03a4cf51d470b536e94c1e58af67665739e200e0ce198ad41086243c0 |
pdf-embedded-file | PDF EmbeddedFile object 96 at offset 0x13719 | 228 bytes |
embedded_file_obj0097.bin0880662c9a44d5cc6739878bb6a1abcc84fb931b5e4e6d3be63fd7be3869b391 |
pdf-embedded-file | PDF EmbeddedFile object 97 at offset 0x1389C | 31834 bytes |
embedded_file_obj0098.binc97e0522381d6196cc0695f35f4d065f15c9c86a9601a7f776c6afd3f4c6b460 |
pdf-embedded-file | PDF EmbeddedFile object 98 at offset 0x16B0E | 199 bytes |
embedded_file_obj0099.bin846dfecc0c93797cb6db4301f6af323fffd76ffdf8c053c439495412785138e7 |
pdf-embedded-file | PDF EmbeddedFile object 99 at offset 0x16C18 | 119 bytes |
embedded_file_obj0100.bine6c26a3478346d27e841ad49868ebf68bf4c6863b6750e8d60bda3c4c6f79876 |
pdf-embedded-file | PDF EmbeddedFile object 100 at offset 0x16CD2 | 77 bytes |
embedded_file_obj0101.bin92a3ce61d783e15932b5de127ce45a9b4c2f98f4da2453f65241573c1dda808a |
pdf-embedded-file | PDF EmbeddedFile object 101 at offset 0x16D62 | 56 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.