MALICIOUS
102
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
The PDF file contains heuristics indicating it is a fake download lure, specifically using SEO poisoning techniques. It embeds URLs that point to a domain designed to trick users into downloading a malicious file. The ML classifier also flagged this PDF as malicious with high confidence.
Machine Learning
- Nyx PDF Classifier malicious score 0.9136
Heuristics 4
-
Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOADThe ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://uncpbisdegree.com/download3.php?q=the-clinic-alex-delaware-no-11.pdf PDF link annotation
- http://uncpbisdegree.com/download4.php?q=the-clinic-alex-delaware-no-11.pdfIn PDF document text
- http://documentaryheaven.com/12th-and-delaware/In PDF document text
- http://athensorthopedicclinic.com/staff/william-c-tally-m-d/In PDF document text
- http://www.bluehenfootball.com/press2.htmIn PDF document text
- http://www.pawproject.org/no-declaw-vets/In PDF document text
- https://www.earthclinic.com/cures/vertigo3.htmlIn PDF document text
- http://www.readbag.com/revenue-delaware-unprop-up-08In PDF document text
- https://bestinnursing.org/nurses-to-watch/In PDF document text
- http://wnyrunninghof.com/inductees/In PDF document text
- http://www.dogingtonpost.com/need-help-with-vet-bills-or-pet-food-there-are-resources-available/In PDF document text
- http://torrentz.eu/search.htmlIn PDF document text
- https://www.havenlax.com/In PDF document text
- http://www.ohiotenniszone.com/tennis.phpIn PDF document text
- http://dotphysicaldoctor.com/can-dot-medical-examiner-refuse-medical-card-unless-you-have-sleep-study/In PDF document text
- http://www.sfmsfolk.org/links/regional_calendar.htmlIn PDF document text
- http://riverside-resort.net/1/seven-seconds-or-less-my-season-on-the-bench-with-the-runnin-and-gunnin-phoenix-suns.pdfIn PDF document text
- http://riverside-resort.net/1/tellabs-1000-installation-manual.pdfIn PDF document text
- http://riverside-resort.net/1/tipos-de-poder-guia-para-pensar-por-uno-mismo.pdfIn PDF document text
- http://riverside-resort.net/1/tree-hill-episode-guide.pdfIn PDF document text
- http://riverside-resort.net/1/t-s-grewal-double-entry-bookkeeping-12th-solution-free.pdfIn PDF document text
- http://riverside-resort.net/1/tuhan-sedang-menguji-kita-mohammad-kazim-elias.pdfIn PDF document text
- http://riverside-resort.net/1/the-flirt-kathleen-tessaro.pdfIn PDF document text
- http://riverside-resort.net/1/the-documentation-of-an-auditor39s-understanding-of-internal-controls.pdfIn PDF document text
- http://riverside-resort.net/1/the-long-white-cloud-ao-tea-roa.pdfIn PDF document text
- http://riverside-resort.net/1/the-physics-of-heaven.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.health.com/health/gallery/0,,20529772,00.htmlIn PDF document text
- http://www.health.com/heartburnIn PDF document text
- https://abcnews.go.com/healthIn PDF document text
- https://www.delawareonline.com/In PDF document text
- https://bard.loc.gov/In PDF document text
- http://www.tacklewarehouse.com/vlogpage.html?ccode=VLOG412In PDF document text
- http://www.philly.com/philly/archives/In PDF document text
- https://en.wikipedia.org/wiki/WalgreensIn PDF document text
- http://www.dailymail.co.uk/tvshowbiz/article-5175465/Jennifer-Lopez-Alex-Rodriguez-talking-marriage.htmlIn PDF document text
- https://en.wikipedia.org/wiki/Bob_MarleyIn PDF document text
- http://www.chicagotribune.com/topic/In PDF document text
- http://www.dailymail.co.uk/news/article-4418934/Alex-Jones-s-lawyer-says-s-just-playing-character.htmlIn PDF document text
- https://abcnews.go.com/businessIn PDF document text
- http://whale.to/b/sp/for1.htmlIn PDF document text
- https://www.bloomberg.com/markets/stocksIn PDF document text
- http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409In PDF document text
- http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409In PDF document text
- https://go.microsoft.com/fwlink/?linkid=868922In PDF document text
- http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409In PDF document text
- http://go.microsoft.com/fwlink/?LinkID=617297In PDF document text
- https://fedoraproject.org/wiki/Licensing/LiberationFontLicenseIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00004f3e.binf36a3a44392845cefdc4c4b3a202a400d7bddccfa85f67d954ace888c867615b |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4F3E | 10404 bytes |
font_01_sfnt_off0000705b.bin8acef45b22ead9c2850ffeb052c6cc218ec2ee457e54a03cf13210a09ece3c5c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x705B | 6492 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.