Malicious PDF — malware analysis report

Heuristics 4

• Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
  The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
• PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARM
  PDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
• Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
  Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://uncpbisdegree.com/download3.php?q=the-magic-bicycle.pdf In PDF document text

  • http://uncpbisdegree.com/download4.php?q=the-magic-bicycle.pdfIn PDF document text
  • http://pedalmagic.com/In PDF document text
  • http://www.bicycle-cards.co.uk/In PDF document text
  • http://www.penguinmagic.com/In PDF document text
  • http://www.freepostmagic.co.uk/In PDF document text
  • http://www.magicshine.com/In PDF document text
  • http://www.internationalmagic.com/In PDF document text
  • https://www.vanishingincmagic.com/In PDF document text
  • http://www.bicycleretailer.com/In PDF document text
  • http://www.funinc.com/In PDF document text
  • http://www.srcc.com/In PDF document text
  • http://www.oko.com/products/bicycle-products/oko-magic-milk-for-tubeless-bikes/In PDF document text
  • http://www.vietnam-bicycle.com/In PDF document text
  • http://www.goldenmotor.com/In PDF document text
  • http://www.oldbike.eu/museum/frame-number-bicycle-dating-guide/In PDF document text
  • http://www.bubbaspamperedpedalers.com/coast-2-coastIn PDF document text
  • http://www.themagiccompany.com/cat_main.htmlIn PDF document text
  • http://harpinanawhinin.com/Tabs/midis_to_tab/midis_to_tab_Bsongs.htmIn PDF document text
  • http://www.bcycle.com/In PDF document text
  • http://www.magic-offreco.com/?mode=grp&gid=180914&sort=nIn PDF document text
  • http://magicvalley.com/news/local/magic-valley-neighbors-recently-published-obituaries/collection_264224d6-9eb5-5748-a04a-f1e534f6537b.htmlIn PDF document text
  • http://www.struck.us/CheckList/BicyclingChecklist.htmlIn PDF document text
  • http://riverside-resort.net/1/teaching-english-language.pdfIn PDF document text
  • http://riverside-resort.net/1/sentry-sp900-owners-manual.pdfIn PDF document text
  • http://riverside-resort.net/1/solutions-of-halliday-resnick-walker-8th-edition.pdfIn PDF document text
  • http://riverside-resort.net/1/tiny-pieces-of-skull-or-a-lesson-in-manners.pdfIn PDF document text
  • http://riverside-resort.net/1/the-voivod-a-ghost-story.pdfIn PDF document text
  • http://riverside-resort.net/1/toyota-u151e-u151f-transmission-repair-manual.pdfIn PDF document text
  • http://riverside-resort.net/1/solving-problems-year-3-activities-for-the-daily-maths-lesson-1st-edition.pdfIn PDF document text
  • http://riverside-resort.net/1/the-adobe-photoshop-cs5-book-for-digital-photographers-voices-that-matter.pdfIn PDF document text
  • http://riverside-resort.net/1/ss2-economics-third-term-scheme-of-work-2018.pdfIn PDF document text
  • http://riverside-resort.net/1/the-journey-to-tunisia-1914-paul-klee-august-macke-louis-moilliet.pdfIn PDF document text
  • http://www.ascendercorp.com/In PDF document text
  • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
  • https://www.aliexpress.com/item/Bicycle-Open-Close-Chain-Magic-Buckle-Repair-Removal-Tool-Bike-Master-Link-Plier/32807785441.htmlIn PDF document text
  • https://www.aliexpress.com/item/2pcs-Set-Bicycle-Super-Gaff-Deck-Blue-Red-Magic-Cards-Playing-Card-Poker-Close-Up-Stage/32749272854.htmlIn PDF document text
  • https://sails.overdrive.com/In PDF document text
  • http://www.sheldonbrown.com/singlespeed.htmlIn PDF document text
  • http://sanomagic.world.coocan.jp/Lineup/english_sanomagicbikelineup.htmIn PDF document text
  • https://en.wikipedia.org/wiki/Professional_wrestling_attacksIn PDF document text
  • https://en.wikipedia.org/wiki/RoundaboutIn PDF document text
  • http://www.microsofttranslator.com/bv.aspx?ref=SERP&br=ro&mkt=en-US&dl=en&lp=JA_EN&a=http%3a%2f%2fwww.magic-offreco.com%2f%3fmode%3dgrp%26gid%3d180914%26sort%3dnIn PDF document text
  • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409In PDF document text
  • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409In PDF document text
  • https://go.microsoft.com/fwlink/?linkid=868922In PDF document text
  • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409In PDF document text
  • http://go.microsoft.com/fwlink/?LinkID=617297In PDF document text
  • https://fedoraproject.org/wiki/Licensing/LiberationFontLicenseIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.