MALICIOUS
102
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious Link
The sample is a PDF file flagged by a machine learning classifier as malicious. It contains embedded URLs pointing to a domain associated with fake download lures, specifically designed to trick users into downloading unwanted content. The heuristic 'PDF_SEO_FAKE_DOWNLOAD' strongly indicates a deceptive SEO poisoning tactic.
Machine Learning
- Nyx PDF Classifier malicious score 0.9395
Heuristics 4
-
Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOADThe ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://uncpbisdegree.com/download3.php?q=student-exploration-identifying-nutrients-answers.pdf PDF link annotation
- http://uncpbisdegree.com/download4.php?q=student-exploration-identifying-nutrients-answers.pdfIn PDF document text
- http://www.bellevue.edu/degrees/academic-catalog/course-listingIn PDF document text
- http://www.roanestate.edu/catalog/?id=378In PDF document text
- http://www.roanestate.edu/?6690-AcademicsIn PDF document text
- http://www.farmingdale.edu/courses/course-listing.shtmlIn PDF document text
- http://www.bibme.org/In PDF document text
- https://chriskresser.com/why-you-should-think-twice-about-vegetarian-and-vegan-diets/In PDF document text
- https://www.stchas.edu/academics/course-descriptionsIn PDF document text
- http://www.learnalberta.ca/ProgramOfStudy.aspx?lang=en&ProgramId=511711In PDF document text
- https://www.pacode.com/secure/data/022/chapter4/chap4toc.htmlIn PDF document text
- https://theherbalacademy.com/introduction-to-herbs-for-kids-meet-my-friend-herb-part-2/In PDF document text
- http://www.midwestbookreview.com/mbw/jul_16.htmIn PDF document text
- http://www.snowbirds.org/csa-articlesIn PDF document text
- http://ohsheglows.com/2015/03/23/will-you-raise-your-daughter-a-vegan-my-answer-may-surprise-you/In PDF document text
- http://uncpbisdegree.com/1/sony-bdp-s560-dvd-players-owners-manual.pdfIn PDF document text
- http://uncpbisdegree.com/1/the-best-of-fathers.pdfIn PDF document text
- http://riverside-resort.net/1/until-youre-mine-samantha-hayes.pdfIn PDF document text
- http://uncpbisdegree.com/1/tessellation-animals.pdfIn PDF document text
- http://riverside-resort.net/1/word-problems-with-special-right-triangles.pdfIn PDF document text
- http://uncpbisdegree.com/1/student-learning-objectives-for-world-languages.pdfIn PDF document text
- http://uncpbisdegree.com/1/the-cinema-of-terry-gilliam-its-a-mad-world-directors-cuts.pdfIn PDF document text
- http://uncpbisdegree.com/1/spring-fill-industries-inc-northbrook-il.pdfIn PDF document text
- http://riverside-resort.net/1/what-does-a-service-on-a-car-include.pdfIn PDF document text
- http://riverside-resort.net/1/wrapped-up-in-you.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.enchantedlearning.com/subjects/plants/label/dicotseed/In PDF document text
- http://turnitin.com/In PDF document text
- https://mail.google.com/mail/u/0/In PDF document text
- https://www.westga.edu/academics/courses.phpIn PDF document text
- https://www.explorelearning.com/In PDF document text
- http://majors.umn.edu/In PDF document text
- http://www.wordle.net/In PDF document text
- http://ualr.edu/catalogs/undergraduate-catalog/course-codes/In PDF document text
- https://play.kahoot.it/In PDF document text
- http://majors.admissions.uga.edu/In PDF document text
- https://www.sciencenews.org/searchIn PDF document text
- https://quizlet.com/45012989/ec-6-flash-cards/In PDF document text
- https://en.wikipedia.org/wiki/Native_Americans_in_the_United_StatesIn PDF document text
- http://www.dictionary.com/e/s/word-of-the-year-list/In PDF document text
- http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409In PDF document text
- http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409In PDF document text
- https://go.microsoft.com/fwlink/?linkid=868922In PDF document text
- http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409In PDF document text
- http://go.microsoft.com/fwlink/?LinkID=617297In PDF document text
- https://fedoraproject.org/wiki/Licensing/LiberationFontLicenseIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00004c0e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4C0E | 10292 bytes |
SHA-256: 86156ee3054b5b780c272660becb2d1bd044a4973f4d49d38fbf775654829e91 |
|||
font_01_sfnt_off00006cbd.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6CBD | 7308 bytes |
SHA-256: 00b19c4c4764d3c7a3df92712d007a3d9fa0c59828654dbbe97429a027a69754 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.