MALICIOUS
82
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
This PDF document contains multiple embedded and invisible links designed to trick the user into downloading a payload. The primary malicious URL identified is http://www.pdfupdatersacrobat.top/website/hts-cache/index.php?userid=info@narainsfashionfabrics.com, which is repeatedly linked within the document body. The use of URL shorteners and Dropbox links suggests an attempt to obscure the final payload destination. No scripts were extracted, but the structure strongly implies a downloader or dropper functionality.
Machine Learning
- Nyx PDF Classifier clean score 0.0834
Heuristics 3
-
Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LUREPDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
-
Clickable URI uses URL shortener medium PDF_URL_SHORTENER_URIPDF contains a clickable HTTP(S) action whose destination is a URL shortener. This hides the final landing page from static review and is common in phishing redirect PDFs.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.pdfupdatersacrobat.top/website/hts-cache/index.php?userid=info@narainsfashionfabrics.com In PDF document text
- http://sajiye.net/file/website/file/main/index.php?userid=alwaha_alghannaa@hotmail.comIn PDF document text
- http://sajiye.net/file/website/file/main/index.php?userid=kitja@siamdee2558.comIn PDF document text
- https://www.dropbox.com/s/3yhla32uwiuuepf/OurOrder_Details_pdf.uue?dl=1In PDF document text
- https://www.dropbox.com/s/2whcvlj8zdftzrr/Payment_Pdf.uue?dl=1In PDF document text
- https://www.dropbox.com/s/0m7q431ylna3clt/PAYMENT_19016_pdf.uue?dl=1In PDF document text
- http://www.radpdf.comIn PDF document text
- http://www.radpdf.com)/Author(alesky)/Creator(RADIn PDF document text
- http://www.dynaforms.comIn PDF document text
- http://ow.ly/YeuLQIn PDF document text
- http://bit.ly/20X34urIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://www.microsoft.com/typography/ctfontshttp://fontfabrik.comYouIn PDF document text
- http://www.microsoft.com/typography/fonts/default.aspxIn PDF document text
- http://crl.microsoft.com/pki/crl/products/CSPCA.crl0HIn PDF document text
- http://www.microsoft.com/pki/certs/CSPCA.crt0In PDF document text
- http://crl.microsoft.com/pki/crl/products/tspca.crl0HIn PDF document text
- http://www.microsoft.com/pki/certs/tspca.crt0In PDF document text
- http://www.microsoft.com/typographyIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000010d7.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10D7 | 168888 bytes |
SHA-256: 979e2568a5296c27334e70aedc0866d374f2b4caf95574736cf51bb4006b8059 |
|||
font_01_sfnt_off00014901.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x14901 | 169476 bytes |
SHA-256: a6eacb5f4c318f191f5c7ef56b8a9d24965db43dd12e86dc8eafc984e1163d47 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.