MALICIOUS
124
Risk Score
Malware Insights
MITRE ATT&CK
T1204 Malicious Link
T1059.001 PowerShell
The PDF contains a direct link to an executable payload disguised as a Wikipedia link related to payment services. The ML classifier also flagged this PDF as malicious. The presence of embedded files and the use of ASCII85Decode filters suggest an attempt to conceal malicious content. The primary attack vector appears to be tricking the user into downloading and executing a file.
Machine Learning
- Nyx PDF Classifier malicious score 0.7248
Heuristics 7
-
PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINKPDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic
-
ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.reportlab.com
- http://en.wikipedia.org/w/index.php?title=Payment_service_provider
- http://en.wikipedia.org/w/index.php?title=24x7payments.com
- http://en.wikipedia.org/w/index.php?title=AlertPay
- http://en.wikipedia.org/w/index.php?title=Barclaycard_ePDQ
- http://en.wikipedia.org/w/index.php?title=Beenz
- http://en.wikipedia.org/w/index.php?title=Bucks_Net
- http://en.wikipedia.org/w/index.php?title=CyberBucks
- http://en.wikipedia.org/w/index.php?title=DigiCash
- http://en.wikipedia.org/w/index.php?title=CyberCoin
- http://en.wikipedia.org/w/index.php?title=Datacash
- http://en.wikipedia.org/w/index.php?title=ECash
- http://en.wikipedia.org/w/index.php?title=Elavon
- http://en.wikipedia.org/w/index.php?title=FasterPay
- http://en.wikipedia.org/w/index.php?title=Firstgate
- http://en.wikipedia.org/w/index.php?title=Flooz
- http://en.wikipedia.org/w/index.php?title=Heidelpay
- http://en.wikipedia.org/w/index.php?title=HSBC
- http://en.wikipedia.org/w/index.php?title=IKobo
- http://en.wikipedia.org/w/index.php?title=IKP
- http://en.wikipedia.org/w/index.php?title=LibertyReserve
- http://en.wikipedia.org/w/index.php?title=MagicMoney
- http://en.wikipedia.org/w/index.php?title=Microeuro
- http://en.wikipedia.org/w/index.php?title=MicroMint
- http://en.wikipedia.org/w/index.php?title=Micromoney
- http://en.wikipedia.org/w/index.php?title=MilliCent
- http://en.wikipedia.org/w/index.php?title=Mondex
- http://en.wikipedia.org/w/index.php?title=Moneybookers
- http://en.wikipedia.org/w/index.php?title=MPAY24
- http://en.wikipedia.org/w/index.php?title=NetCash
- http://en.wikipedia.org/w/index.php?title=Ouroboros
- http://en.wikipedia.org/w/index.php?title=Pago
- http://en.wikipedia.org/w/index.php?title=PayMe
- http://en.wikipedia.org/w/index.php?title=PayPal
- http://en.wikipedia.org/w/index.php?title=PayPay
- http://en.wikipedia.org/w/index.php?title=PayPoint.net
- http://en.wikipedia.org/w/index.php?title=PaySafeCard
- http://en.wikipedia.org/w/index.php?title=PayYourRent.com
- http://en.wikipedia.org/w/index.php?title=PayXpert
- http://en.wikipedia.org/w/index.php?title=PayWord
- http://en.wikipedia.org/w/index.php?title=PeerTransfer
- http://en.wikipedia.org/w/index.php?title=Peppercoin
- http://en.wikipedia.org/w/index.php?title=Qunits.net
- http://en.wikipedia.org/w/index.php?title=RBS_WorldPay
- http://en.wikipedia.org/w/index.php?title=Realex
- http://en.wikipedia.org/w/index.php?title=RentPayment
- http://en.wikipedia.org/w/index.php?title=Sage_Pay
- http://en.wikipedia.org/w/index.php?title=Safecharge
- http://en.wikipedia.org/w/index.php?title=Secure_Trading
- http://en.wikipedia.org/w/index.php?title=SIX_Card_Solutions_GmbH
+10 more URL(s)
Extracted artifacts 8
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_file_obj0090.bin56ac46d5226eb8ed1089c68fc604a3d77e670ed255ce7cfc7b11cf5889472012 |
pdf-embedded-file | PDF EmbeddedFile object 90 at offset 0xE204 | 31834 bytes |
embedded_file_obj0088.bind81baa73e490e4cb879e13927cacd1dd1be37524a37eac51603e15117c578777 |
pdf-embedded-file | PDF EmbeddedFile object 88 at offset 0x11685 | 84 bytes |
embedded_file_obj0089.bin24c130f03a4cf51d470b536e94c1e58af67665739e200e0ce198ad41086243c0 |
pdf-embedded-file | PDF EmbeddedFile object 89 at offset 0x11737 | 228 bytes |
embedded_file_obj0091.binc97e0522381d6196cc0695f35f4d065f15c9c86a9601a7f776c6afd3f4c6b460 |
pdf-embedded-file | PDF EmbeddedFile object 91 at offset 0x11828 | 199 bytes |
embedded_file_obj0092.bin846dfecc0c93797cb6db4301f6af323fffd76ffdf8c053c439495412785138e7 |
pdf-embedded-file | PDF EmbeddedFile object 92 at offset 0x11919 | 119 bytes |
embedded_file_obj0093.bine6c26a3478346d27e841ad49868ebf68bf4c6863b6750e8d60bda3c4c6f79876 |
pdf-embedded-file | PDF EmbeddedFile object 93 at offset 0x119D1 | 77 bytes |
embedded_file_obj0094.bin92a3ce61d783e15932b5de127ce45a9b4c2f98f4da2453f65241573c1dda808a |
pdf-embedded-file | PDF EmbeddedFile object 94 at offset 0x11A78 | 56 bytes |
stream_001_off000047d7.bindd61f9b7e9810726b48da8ef71fccdf9703f17e2db2b306fbf30e6ddffb21e06 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x47D7 | 14096 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.