MALICIOUS
130
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious File
The PDF file contains embedded URLs and document body text that mimic a Standard Chartered Bank login page, suggesting a phishing attempt. The presence of a heuristic indicating a visual download button further supports this. The primary malicious URLs extracted are http://uncpbisdegree.com/download3.php?q=standard-chartered-bank-pakistan-online-login.pdf and http://uncpbisdegree.com/download4.php?q=standard-chartered-bank-pakistan-online-login.pdf, which are likely used to deliver a secondary payload. The ML classifier also flagged this PDF as malicious.
Machine Learning
- Nyx PDF Classifier malicious score 0.9545
Heuristics 4
-
Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOADThe ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
-
PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARMPDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://uncpbisdegree.com/download3.php?q=standard-chartered-bank-pakistan-online-login.pdf In PDF document text
- http://uncpbisdegree.com/download4.php?q=standard-chartered-bank-pakistan-online-login.pdfIn PDF document text
- https://netbanking.bankalfalah.com/ib/In PDF document text
- https://dawaai.pk/In PDF document text
- https://www.zainhosting.com/In PDF document text
- https://www.riyadbank.com/en/info-tools/iban-generatorIn PDF document text
- http://riverside-resort.net/1/sponges-cnidarians-review-and-reinforce-answers.pdfIn PDF document text
- http://riverside-resort.net/1/six-grade-science-final-exam.pdfIn PDF document text
- http://riverside-resort.net/1/ship-design-and-construction.pdfIn PDF document text
- http://riverside-resort.net/1/soil-carbon-sequestration-under-organic-farming-in-the-mediterranean-environment-2008.pdfIn PDF document text
- http://riverside-resort.net/1/solutions-manual-introduction-thermal-physics-schroeder.pdfIn PDF document text
- http://riverside-resort.net/1/short-motivational-stories-for-students.pdfIn PDF document text
- http://riverside-resort.net/1/the-insiders-the-insiders-series-book-1.pdfIn PDF document text
- http://riverside-resort.net/1/theravent-walgreens.pdfIn PDF document text
- http://riverside-resort.net/1/the-chili-hot-mexican-cookbook-sizzling-dishes-from-mexico-with-90-classic-chili-recipes.pdfIn PDF document text
- http://riverside-resort.net/1/smartest-401-k-book-youll-ever-read-maximize-your-retirement-savings-the-smart-way.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://online.standardchartered.com/nfs/ibank/pk/foa/login.htmIn PDF document text
- https://www.sc.com/pk/In PDF document text
- https://www.sc.com/hk/In PDF document text
- https://online.standardchartered.com/nfs/ibank/pk/foa/logout.htmIn PDF document text
- https://s2bssotest.standardchartered.com/ssoapp/login.jspIn PDF document text
- http://www.accaglobal.com/In PDF document text
- https://www.meezanbank.com/about-us/In PDF document text
- https://mail.google.com/mail/u/0/In PDF document text
- https://en.wikipedia.org/wiki/WestJetIn PDF document text
- http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409In PDF document text
- http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409In PDF document text
- https://go.microsoft.com/fwlink/?linkid=868922In PDF document text
- http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409In PDF document text
- http://go.microsoft.com/fwlink/?LinkID=617297In PDF document text
- https://fedoraproject.org/wiki/Licensing/LiberationFontLicenseIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00003e85.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x3E85 | 10384 bytes |
SHA-256: 47e45c49e2c6e5a0ef31cadab9a557bb600b1a9b0a934fb1b9c5fd87aab799ae |
|||
font_01_sfnt_off00005f8d.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5F8D | 7216 bytes |
SHA-256: b775807d166a627ed89225793de6fdb0abe3536dbd63725a86f17eec76a03e78 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.