MALICIOUS
130
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF contains embedded URLs and a heuristic firing for an external URI, suggesting an attempt to redirect the user to a download. The ML classifier also flagged this PDF as malicious. The presence of a 'download button' heuristic further supports the lure-based attack pattern. No scripts were extracted, limiting the ability to determine the exact payload or persistence mechanisms.
Machine Learning
- Nyx PDF Classifier malicious score 0.9015
Heuristics 4
-
Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOADThe ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
-
PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARMPDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://uncpbisdegree.com/download3.php?q=spank-me-the-art-of-the-spirit.pdf In PDF document text
- http://uncpbisdegree.com/download4.php?q=spank-me-the-art-of-the-spirit.pdfIn PDF document text
- http://www.malespank.net/viewStory.php?id=35204In PDF document text
- http://www.malespank.net/viewStory.php?id=28277In PDF document text
- http://christianwomenonline.net/2008/11/26/disciplining-you-child/In PDF document text
- http://www.petticoatpunishmentart.com/docs/cjart005.htmlIn PDF document text
- http://www.thehandprints.com/hpLinksPage.htmlIn PDF document text
- http://www.petticoatpunishmentart.com/docs/cjart012.htmlIn PDF document text
- http://beginningandend.com/beyonce-channels-the-spirit-of-jezebel-in-illuminati-ghosthaunted-video/In PDF document text
- https://makeupandbeauty.com/loreal-true-match-superblendable-powder-cool-review/In PDF document text
- http://artpulsemagazine.com/prying-religion-sexuality-self-identity-and-forensics-a-conversation-with-angela-strassheimIn PDF document text
- http://gchords.net/In PDF document text
- http://www.boundstories.net/bdstories_st.htmlIn PDF document text
- http://parkwayindependent.com/newspage.htmIn PDF document text
- http://nudepatch.net/In PDF document text
- http://www.ldolphin.org/spwarfare.htmlIn PDF document text
- http://asian.abdulaporn.com/In PDF document text
- http://uncpbisdegree.com/1/the-human-body-a-text-book-of-anatomy-physiology-and-hygiene.pdfIn PDF document text
- http://uncpbisdegree.com/1/software-class-diagram-uml.pdfIn PDF document text
- http://uncpbisdegree.com/1/textbook-quality-a-guide-to-textbook-standards.pdfIn PDF document text
- http://uncpbisdegree.com/1/service-manual-for-club-car-precedent.pdfIn PDF document text
- http://uncpbisdegree.com/1/tantra-the-supreme-understanding.pdfIn PDF document text
- http://uncpbisdegree.com/1/the-corporation-that-changed-the-world-2nd-edition.pdfIn PDF document text
- http://uncpbisdegree.com/1/taxi-owner-driver-lease-agreement.pdfIn PDF document text
- http://uncpbisdegree.com/1/the-big-race-kindle-single.pdfIn PDF document text
- http://uncpbisdegree.com/1/study-guide-for-content-mastery-solutions.pdfIn PDF document text
- http://riverside-resort.net/1/winglet-design-and-analysis-for-wind-turbine-rotor-blades-100.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://tvtropes.org/pmwiki/pmwiki.php/Music/NirvanaIn PDF document text
- https://www.psychologytoday.com/us/basics/creativityIn PDF document text
- http://redrump.blogspot.com/In PDF document text
- https://www.today.com/parentsIn PDF document text
- http://www.addictinggames.com/all-games/index.jspIn PDF document text
- http://tvtropes.org/pmwiki/pmwiki.php/Main/TheMoralSubstituteIn PDF document text
- https://www.jambase.com/bandsIn PDF document text
- https://en.wikipedia.org/wiki/CatwomanIn PDF document text
- http://www.damplips.com/page/18/In PDF document text
- http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409In PDF document text
- http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409In PDF document text
- https://go.microsoft.com/fwlink/?linkid=868922In PDF document text
- http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409In PDF document text
- http://go.microsoft.com/fwlink/?LinkID=617297In PDF document text
- https://fedoraproject.org/wiki/Licensing/LiberationFontLicenseIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00004b99.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4B99 | 9940 bytes |
SHA-256: 7ee0ef15bec70923fd3f7e43fa89790224f605c6eaa18e01c8db042bbb09e498 |
|||
font_01_sfnt_off00006b4a.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6B4A | 6660 bytes |
SHA-256: 0701b47cf2783854ddb42c62c06b5f8dfb0860fe7aed816c50ef70fc797ae235 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.