MALICIOUS
104
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious File
The PDF document contains a large number of external links, identified as a link farm, with the primary goal of directing users to potentially malicious content. One of the extracted URLs, http://bestsmartfind.com/accesss/RVNDIEFkUG9zdGVyRVN.elwell.emigration/heartbroken/camus/oxygenation/ZG93bmxvYWR8VUo2T0hOd2NueDhNVFkxTmpnNU1qTTFNbng4TWpVNE4zeDhLRTBwSUVobGNtOXJkU0JiUm1GemRDQkhSVTVk/, is flagged as a suspicious external URI. The presence of a 'LOLBin token sequence' further suggests an attempt to disguise or facilitate the execution of malicious commands.
Machine Learning
- Nyx PDF Classifier clean score 0.0077
Heuristics 4
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://bestsmartfind.com/accesss/RVNDIEFkUG9zdGVyRVN.elwell.emigration/heartbroken/camus/oxygenation/ZG93bmxvYWR8VUo2T0hOd2NueDhNVFkxTmpnNU1qTTFNbng4TWpVNE4zeDhLRTBwSUVobGNtOXJkU0JiUm1GemRDQkhSVTVk/
- https://quiet-citadel-00086.herokuapp.com/harkhar.pdf
- https://www.twp.ferguson.pa.us/sites/g/files/vyhlif576/f/styles/news_image_teaser/public/news/pages_from_bos_agenda_packet_05-16-2022_with_links.pdf
- https://hard-times.us/wp-content/uploads/2022/07/Altarsoft_PDF_Converter__WinMac.pdf
- https://polar-waters-33886.herokuapp.com/Animation_Cursor_ActiveX.pdf
- https://gsmile.app/upload/files/2022/07/wdNchRSmjAgPa9b7mLkO_04_16b7ec6487296fc0453071b3f596074f_file.pdf
- https://unmown.com/upload/files/2022/07/y86yIKfiCsCQ3GPCoTq7_04_834e106af69e080a4dd8360c02f8077f_file.pdf
- https://www.pinio.eu/wp-content/uploads//2022/07/pnggauntlet.pdf
- https://nb-gallery.com/powercmd-activator-free-download-pc-windows-april-2022/
- https://peaceful-taiga-14961.herokuapp.com/renjar.pdf
- https://www.kultur-digital.com/wp-content/uploads/2022/07/Photo_Web_Album.pdf
- https://www.raven-guard.info/wp-content/uploads/2022/07/GeSoLe__Crack___Free_License_Key_Download_Updated_2022.pdf
- https://dry-reef-61660.herokuapp.com/ocetale.pdf
- https://ilsignoredicampagna.it/wp-content/uploads/2022/07/kershar.pdf
- https://thehomeofheroes.org/kids-colouring-book-crack-mac-win-latest-2022/
- https://ssmecanics.com/crawl-multiple-sites-looking-for-links-software-crack-free-registration-code-free-download-3264bit-latest/
- http://blackbeargoaly.com/?p=13324
- http://www.nzangoartistresidency.com/?p=23669
- https://logisticseek.com/wp-content/uploads/2022/07/jSimpleX.pdf
- https://coletandovidas.org/wp-content/uploads/2022/07/SiteInFile_Compiler_Crack__Download.pdf
- https://holytrinitybridgeport.org/advert/oracle-mysql-crack-incl-product-key/
- http://www.tcpdf.org
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/mm/
- http://www.aiim.org/pdfa/ns/extension/
- http://www.aiim.org/pdfa/ns/schema#
- http://www.aiim.org/pdfa/ns/property#
- http://www.aiim.org/pdfa/ns/id/
Open this report in the interactive analyzer, or submit your own file for analysis.