MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file is identified as malicious due to heuristics indicating it's a fake download lure designed to trick users into downloading a payload. The document body contains multiple links to 'uncpbisdegree.com', which are likely intended to serve the malicious file. The presence of a direct link to an executable/archive payload further supports this malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 0.7299
Heuristics 5
-
PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINKPDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
-
Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOADThe ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://uncpbisdegree.com/download3.php?q=the-bhs-training-manual-for-stage-2.pdf
- http://uncpbisdegree.com/download4.php?q=the-bhs-training-manual-for-stage-2.pdf
- http://www.bhsscotland.org.uk/
- https://www.britishhipsociety.com/
- http://bowmanvillehigh.kprdsb.ca/
- http://davidparmenter.com/files/quick-month-end-reporting-part-2.pdf
- http://www.patrickpinker.com/?id=31
- http://www.barnwell45.org/
- http://www.psmsl.org/data/obtaining/
- https://www.derby-college.ac.uk/careers-courses/courses-subject-list
- https://www.printfutures.com/us-event/speakers
- http://www.urc-chs.com/health-systems-strengthening
- http://www.driveandstayalive.com/history-road-safety/
- https://www.pnw.edu/catalog/2011-fall-course-descriptions/
- http://www.bethpagecommunity.com/ourschools/bethpage_high_school
- http://cogi-congress.org/faculty/
- https://ipsum.im/
- http://www.trixiepixgraphics.com/extras/abbreviations.html
- http://www.kuwaitpharmacy.com/default.aspx
- http://www.unical.edu.ng/directories/staff_publications.php
- http://yxbysfbyydfbfdh.info/kleinanzeigen/index.html?keepThis=true&TB_iframe=true
- http://riverside-resort.net/1/the-euroqol-group-after-25-years.pdf
- http://riverside-resort.net/1/some-like-it-scot-scandalous-highlanders.pdf
- http://riverside-resort.net/1/topics-for-developmental-psychology-research-paper.pdf
- http://riverside-resort.net/1/symbiosis-bio-lab-manual-answers.pdf
- http://riverside-resort.net/1/the-dube-train-short-story-by-can-themba.pdf
- http://riverside-resort.net/1/solutions-for-sustainable-agriculture-and-food-systems.pdf
- http://riverside-resort.net/1/u-s-marshals-inside-americas-most-storied-law-enforcement-agency.pdf
- http://riverside-resort.net/1/teaming-with-microbes-the-organic-gardeners-guide-to-the-soil-food-web-revised-edition.pdf
- http://riverside-resort.net/1/the-plantation-payne-jones-book-1.pdf
- http://riverside-resort.net/1/the-sixth-extinction-the-first-three-weeks-noahs-story-book-1.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://support.google.com/accounts/answer/32050?co=GENIE.Platform%3DDesktop&hl=en
- https://support.google.com/accounts/topic/7189049?hl=en&ref_topic=3382297
- http://turnitin.com/
- https://www.youtube.com/results
- https://searchsecurity.techtarget.com/Six-steps-for-security-patch-management-best-practices
- https://issuu.com/mhwholesaler/docs/1802_mhw_bb_digital
- https://mail.google.com/mail/u/0/
- https://www.dhs.gov/terms
- https://www.dhs.gov/site-links
- https://www.groupon.co.uk/discount-codes/shops/marksandspencer.com
- https://www.groupon.co.uk/discount-codes
- https://www.groupon.co.uk/discount-codes/categories/department-stores
- http://www.microsofttranslator.com/bv.aspx?ref=SERP&br=ro&mkt=en-US&dl=en&lp=RU_EN&a=http%3a%2f%2fyxbysfbyydfbfdh.info%2fkleinanzeigen%2findex.html%3fkeepThis%3dtrue%26TB_iframe%3dtrue
- http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409
- http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409
- https://go.microsoft.com/fwlink/?linkid=868922
- http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409
+2 more URL(s)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000568a.bin831118268f0e7db6a0c66cd316835870fc0bfb779c2c4ed065d8d03303c2c813 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x568A | 10268 bytes |
font_01_sfnt_off00007732.bin908e917eb64aa29fad4a3b7fcf6472c3b92bc8fb64e47f5ed9449cadd3395525 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7732 | 7492 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.