MALICIOUS
130
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains multiple embedded URLs that mimic download links for a user guide. The ML classifier flagged this PDF as malicious with high confidence. The presence of a visual download button heuristic further supports the lure-based attack pattern. The primary intent appears to be tricking the user into downloading a potentially malicious file disguised as a legitimate document.
Machine Learning
- Nyx PDF Classifier malicious score 0.9227
Heuristics 4
-
Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOADThe ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
-
PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARMPDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://uncpbisdegree.com/download3.php?q=yamaha-ski-boats-user-guide.pdf In PDF document text
- http://uncpbisdegree.com/download4.php?q=yamaha-ski-boats-user-guide.pdfIn PDF document text
- http://drlogo.de/yamaha/ski/yamaha_ski_boats_user_guide.pdfIn PDF document text
- http://giseye.de/yamaha/ski/yamaha_ski_boats_user_guide.pdfIn PDF document text
- http://hihugo.de/yamaha/ski/yamaha_ski_boats_user_guide.pdfIn PDF document text
- http://drreis.de/yamaha/ski/yamaha_ski_boats_user_guide.pdfIn PDF document text
- http://indumo.de/yamaha/ski/yamaha_ski_boats_user_guide.pdfIn PDF document text
- http://rawest.de/yamaha/ski/yamaha_ski_boats_user_guide.pdfIn PDF document text
- http://pjozzi.de/yamaha/ski/yamaha_ski_boats_user_guide.pdfIn PDF document text
- https://www.yamahawaverunners.com/In PDF document text
- http://alkies.de/yamaha/ski/yamaha_ski_boats_user_guide.pdfIn PDF document text
- http://coxrat.de/yamaha/ski/yamaha_ski_boats_user_guide.pdfIn PDF document text
- https://yamahaboats.com/In PDF document text
- https://www.yamahaboats.com/24-ft-boats/242-limited-s/In PDF document text
- http://riverside-resort.net/1/takeover-theresa-maclean-1-lisa-black.pdfIn PDF document text
- http://riverside-resort.net/1/solutions-to-cambridge-unit-4-accounting.pdfIn PDF document text
- http://riverside-resort.net/1/special-senses-review-sheet-17-answers.pdfIn PDF document text
- http://riverside-resort.net/1/simplified-icse-chemistry-for-std-ix-54th-edition.pdfIn PDF document text
- http://riverside-resort.net/1/the-fragrance-forgotten-years.pdfIn PDF document text
- http://riverside-resort.net/1/the-rogue-crew-greenshroud.pdfIn PDF document text
- http://riverside-resort.net/1/the-magic-school-bus-and-the-electric-field-trip.pdfIn PDF document text
- http://riverside-resort.net/1/system-wiring-diagrams-gm-forum.pdfIn PDF document text
- http://riverside-resort.net/1/suzuki-boulevard-c109rt-service-manual.pdfIn PDF document text
- http://riverside-resort.net/1/ucsd-chemistry-placement-exam-study-guide.pdfIn PDF document text
- https://www.yamahawaverunners.comIn PDF document text
- https://yamahaboats.comIn PDF document text
- https://www.yamahaboats.com/24-ft-boats/242-limited-sIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://go.microsoft.com/fwlink/?LinkID=617350In PDF document text
- http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409In PDF document text
- http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409In PDF document text
- https://go.microsoft.com/fwlink/?linkid=868922In PDF document text
- http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409In PDF document text
- http://go.microsoft.com/fwlink/?LinkID=617297In PDF document text
- https://fedoraproject.org/wiki/Licensing/LiberationFontLicenseIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006621.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6621 | 14320 bytes |
SHA-256: e34eee652857bfba576dcc15578f4221bb31b28f4629cab9acddc43001f8edee |
|||
font_01_sfnt_off0000919e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x919E | 9016 bytes |
SHA-256: a5eb33db5bf2a966819c29b376c9d90ca664f37b909326e216f133160f05ccc8 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.