MALICIOUS
102
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
T1203 Exploitation for Client Execution
The PDF file contains heuristics indicating it is a fake download lure, specifically using SEO poisoning to attract users searching for 'tales from the workhouse'. The embedded URLs point to a domain designed to serve malicious content. While no scripts were explicitly extracted, the PDF structure and ML classifier strongly suggest malicious intent, likely involving the exploitation of a PDF vulnerability to execute a payload.
Machine Learning
- Nyx PDF Classifier malicious score 0.9340
Heuristics 4
-
Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOADThe ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://uncpbisdegree.com/download3.php?q=tales-from-the-workhouse.pdf PDF link annotation
- http://uncpbisdegree.com/download4.php?q=tales-from-the-workhouse.pdfIn PDF document text
- http://www.robinhoodprimary.co.uk/victorian-workhouse-descriptions/In PDF document text
- http://www.workhouses.org.uk/Shaw/In PDF document text
- http://www.workhouses.org.uk/lit/Greenwood.shtmlIn PDF document text
- http://charlesdickenspage.com/twist.htmlIn PDF document text
- http://simplyghostnights.co.uk/events/In PDF document text
- http://www.enderbyheritage.org.uk/In PDF document text
- http://42explore.com/dickens.htmIn PDF document text
- http://www.tartanplace.com/tartanhistory/concentrationcamps.htmlIn PDF document text
- http://www.abertillery.net/oldabertillery/tales/blainariots.htmlIn PDF document text
- http://www.literary-articles.com/2013/08/what-is-postmodernism-what-are.htmlIn PDF document text
- http://local-history.co.uk/links/historical.htmlIn PDF document text
- http://www.casebook.org/dissertations/In PDF document text
- http://www.genuki.org.uk/big/In PDF document text
- http://www.doversociety.org.uk/history-scrapbook/dover-streets-n-zIn PDF document text
- http://www.sneydobone.com/webtree/history-ir.htmIn PDF document text
- http://www.playscriptsforkids.net/browse-play-scripts-for-kids/all-scripts/In PDF document text
- http://www.coventry.gov.uk/linksIn PDF document text
- http://uncpbisdegree.com/1/universidad-reformas-y-desafios.pdfIn PDF document text
- http://uncpbisdegree.com/1/the-mediator-volumes-1-and-2.pdfIn PDF document text
- http://uncpbisdegree.com/1/toyota-tundra-troubleshooting-guide.pdfIn PDF document text
- http://uncpbisdegree.com/1/the-wild-girl-kate-forsyth.pdfIn PDF document text
- http://uncpbisdegree.com/1/vector-calculus-marsden-solutions-manual-2018.pdfIn PDF document text
- http://uncpbisdegree.com/1/toyota-highlander-2008-manual.pdfIn PDF document text
- http://uncpbisdegree.com/1/the-treasure-hunt-tales-from-percys-park.pdfIn PDF document text
- http://uncpbisdegree.com/1/the-showdown-left-behind-the-kids-13.pdfIn PDF document text
- http://uncpbisdegree.com/1/the-language-of-god-a-scientist-presents-evidence-for-belief-francis-s-collins.pdfIn PDF document text
- http://uncpbisdegree.com/1/the-tale-of-johnny-town-mouse-bp-1-23.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://en.wikipedia.org/wiki/English_Poor_LawsIn PDF document text
- https://www.hulldailymail.co.uk/news/history/horrific-tragic-tales-hulls-child-1506842In PDF document text
- http://listverse.com/2017/05/05/10-gruesome-tales-from-the-dead-house-aka-the-morgue/In PDF document text
- https://en.wikipedia.org/wiki/HowdenIn PDF document text
- http://www.gutenberg.org/browse/titles/wIn PDF document text
- http://fallout.wikia.com/wiki/Walden_PondIn PDF document text
- http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409In PDF document text
- http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409In PDF document text
- https://go.microsoft.com/fwlink/?linkid=868922In PDF document text
- http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409In PDF document text
- http://go.microsoft.com/fwlink/?LinkID=617297In PDF document text
- https://fedoraproject.org/wiki/Licensing/LiberationFontLicenseIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000471e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x471E | 10004 bytes |
SHA-256: d8d5d7df0d70966732dd831c9c5bba6851bcfa88254973614739297af91b04e7 |
|||
font_01_sfnt_off000066f6.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x66F6 | 6852 bytes |
SHA-256: e0e67eb20ca4f64ff0345b379fb96004728e41ed2035f63b99e0f103126175cf |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.