MALICIOUS
130
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious File
The PDF document contains heuristics indicating an external URI and a high ML classifier score, suggesting malicious intent. The document body and extracted URLs point to a lure related to a 'wireshark ssl solution' and include suspicious download links. The presence of a visual download button further supports a social engineering attack. The primary attack pattern involves tricking the user into downloading a potentially malicious file disguised as a software solution.
Machine Learning
- Nyx PDF Classifier malicious score 0.8839
Heuristics 4
-
Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOADThe ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
-
PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARMPDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://uncpbisdegree.com/download3.php?q=wireshark-ssl-solution.pdf In PDF document text
- http://uncpbisdegree.com/download4.php?q=wireshark-ssl-solution.pdfIn PDF document text
- http://jaredheinrichs.com/the-npf-driver-isnt-running-wireshark.htmlIn PDF document text
- https://base-2solutions.com/In PDF document text
- https://www.silverf0x00.com/tls-extended-master-secret-breaking-ssl-proxies/In PDF document text
- http://www.ciscozine.com/how-to-configure-cisco-vpn-ssl-aka-webvpn/In PDF document text
- https://www.carlstalhood.com/ssl-load-balancing-netscaler-11/In PDF document text
- https://www.askapache.com/htaccess/In PDF document text
- https://www.askapache.com/category/htaccess/In PDF document text
- https://www.teracomtraining.com/courses/260-ceh-certified-ethical-hacker.htmIn PDF document text
- http://www.thepicketts.org/2013/02/how-to-install-adfs-2-0-and-configure-saml-for-sso-auto-loginad-login-integration/In PDF document text
- http://uncpbisdegree.com/1/spanish-supersite-leccion-3-answers.pdfIn PDF document text
- http://uncpbisdegree.com/1/the-darling-buds-of-may.pdfIn PDF document text
- http://uncpbisdegree.com/1/study-guide-for-content-mastery-chapter-12-4-answers.pdfIn PDF document text
- http://uncpbisdegree.com/1/solution-of-sn-dey-of-class-11.pdfIn PDF document text
- http://uncpbisdegree.com/1/softball-tryout-assessment-sheets.pdfIn PDF document text
- http://uncpbisdegree.com/1/statics-meriam-7th-edition-solution-manual.pdfIn PDF document text
- http://uncpbisdegree.com/1/suzuki-wagon-r-owner-manual.pdfIn PDF document text
- http://uncpbisdegree.com/1/the-grand-chessboard-american-primacy-and-its-geostrategic-imperatives-zbigniew-brzezinski.pdfIn PDF document text
- http://uncpbisdegree.com/1/spirit-week-flyer-template.pdfIn PDF document text
- http://riverside-resort.net/1/utica-gas-boilers-service-manual.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://www.wireshark.org/In PDF document text
- https://stackoverflow.com/questions/1339691/filter-by-process-pid-in-wiresharkIn PDF document text
- https://confluence.atlassian.com/kb/how-to-capture-http-traffic-using-wireshark-or-fiddler-779164332.htmlIn PDF document text
- https://www.linkedin.com/learning/learning-cryptography-and-network-security/using-wireshark-to-crack-wepIn PDF document text
- https://stackoverflow.com/questions/38745884/tls-version-mismatchIn PDF document text
- https://nmap.org/7/In PDF document text
- https://www.experts-exchange.com/questions/24099012/CoreFTP-SSL-Connection-Problem.htmlIn PDF document text
- https://www.rtl-sdr.com/rtl-sdr-tutorial-analyzing-gsm-with-airprobe-and-wireshark/In PDF document text
- https://h30434.www3.hp.com/t5/Inkjet-Printing/m4345-mfp-smtp-ssl-issues/td-p/5078018In PDF document text
- https://h30434.www3.hp.com/t5/Printers/ct-p/InkJetIn PDF document text
- https://h30434.www3.hp.com/t5/Inkjet-Printing/bd-p/PostPrintIn PDF document text
- http://www.books.com.tw/products/0010668982In PDF document text
- http://www.books.com.tw/web/books_bmidm_1907/In PDF document text
- http://www.books.com.tw/web/sys_bbotm/books/190703/In PDF document text
- http://www.microsofttranslator.com/bv.aspx?ref=SERP&br=ro&mkt=en-US&dl=en&lp=ZH-CHT_EN&a=http%3a%2f%2fwww.books.com.tw%2fproducts%2f0010668982In PDF document text
- https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.htmlIn PDF document text
- https://community.spiceworks.com/topic/741103-enable-tls-1-0-using-registryIn PDF document text
- https://www.cisco.com/c/en/us/support/docs/wireless-mobility/80211/200527-Fundamentals-of-802-11-Wireless-Sniffing.htmlIn PDF document text
- https://serverfault.com/questions/50289/ftp-ssl-in-passive-mode-with-portrange-which-ports-has-to-be-open-on-the-firewaIn PDF document text
- https://superuser.com/questions/622434/can-self-signed-ssl-certificate-be-renewed-howIn PDF document text
- https://serverfault.com/questions/541364/how-to-fix-rdp-on-windows-server-2012In PDF document text
- https://wiki.mozilla.org/Security/Server_Side_TLSIn PDF document text
- https://blog.qualys.com/ssllabs/2013/03/19/rc4-in-tls-is-broken-now-whatIn PDF document text
- https://social.technet.microsoft.com/wiki/contents/articles/4494.windows-server-troubleshooting-the-rpc-server-is-unavailable.aspxIn PDF document text
- http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409In PDF document text
- http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409In PDF document text
- https://go.microsoft.com/fwlink/?linkid=868922In PDF document text
+3 more URL(s)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000055a9.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x55A9 | 10144 bytes |
SHA-256: 6faf2415767c8f56a7cdaa24c344a1ee62c5f8fa7aa72ecdbbd597aa9c5b110a |
|||
font_01_sfnt_off0000761b.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x761B | 6900 bytes |
SHA-256: 1ff5c717c68a187ad8032f8fcb191c41896b3ea2351a5ea18434771eaa2050a2 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.