Malicious PDF — malware analysis report

Static analysis result for SHA-256 03a1a3bcf443b23d…

MALICIOUS

PDF

34.6 KB Created: 2018-06-11 09:19:24 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7)
MD5: a7045fc07b8d014618fe06329583a889 SHA-1: 82bfc370ebe2230f502429ebea4cc89b2a31fd37 SHA-256: 03a1a3bcf443b23d6f9aaa27cd82e0827d8747bb31a102dfd91993ae338e49e1
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged by an ML classifier and contains heuristics indicating it is a fake download SEO-poisoning document. The document body and extracted URLs point to a lure using a 'Starbucks safety manual' to trick users into clicking a link that likely leads to malware download. The presence of a fake download button further supports this malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9395

Heuristics 4

  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=starbucks-safety-security-and-health-standards-manual.pdf
    • http://uncpbisdegree.com/download4.php?q=starbucks-safety-security-and-health-standards-manual.pdf
    • http://www.kean.edu/campus-life
    • https://foodsafetyna.com/agenda/
    • http://www.agsaf.org/
    • http://www.bibme.org/
    • http://elupton.com/essays/
    • https://www.fetch.news/
    • http://www.hazards.org/workandhealth/index.htm
    • http://www.texarkanagazette.com/
    • http://shmoocon.org/speakers/
    • http://www.humaitech.com/
    • http://www.kuwait-toplist.com/corporate-profiles/
    • http://www.jobgym.com/jobboard/jobs/maintenance-coordinator-1-position-2/
    • http://www.mybaseguide.com/Military-Relocation-Guide/603/fort
    • https://manufacturing-event.com/speakers/
    • http://uncpbisdegree.com/1/vista-desde-una-acera.pdf
    • http://uncpbisdegree.com/1/wuthering-heights-study-guide-answers-novel-units.pdf
    • http://uncpbisdegree.com/1/the-third-republic-from-its-origins-to-the-great-war-18711914.pdf
    • http://uncpbisdegree.com/1/the-power-of-news-the-history-of-reuters-2nd-edition.pdf
    • http://uncpbisdegree.com/1/toyota-racing-com-design-a-car.pdf
    • http://uncpbisdegree.com/1/the-mcgraw-hill-companies-government-worksheet-answers.pdf
    • http://uncpbisdegree.com/1/the-kiss-arabic-translation.pdf
    • http://uncpbisdegree.com/1/the-shadow-child.pdf
    • http://uncpbisdegree.com/1/toyota-tundra-heater-control-diagram.pdf
    • http://uncpbisdegree.com/1/used-evinrude-outboard-parts.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.fbo.gov/
    • https://abcnews.go.com/health
    • https://www.nasdaq.com/news/
    • https://www.scribd.com/document/365366630/Tesla-Model-3-Owners-Manual
    • https://www.zdnet.com/topic/
    • http://www.mrmoneymustache.com/2012/06/07/safety-is-an-expensive-illusion/
    • https://www.informationweek.com/default.asp
    • http://www.oregon.gov/oha
    • https://www.aol.com/news/
    • http://www.latimes.com/health/
    • http://www.tampabay.com/news/publicsafety/study-pinellas-sheriffs-facial-recognition-system-has-danger-of-abuse-and/2298543
    • http://www.dailymail.co.uk/news/article-3615629/Whirlpool-recall-tumble-driers-fire-risk-hazard-say-trading-standards.html
    • http://www.dailymail.co.uk/news/article-3809515/Alton-Towers-owners-fined-5MILLION-Smiler-crash.html
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409
    • https://go.microsoft.com/fwlink/?linkid=868922
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409
    • http://go.microsoft.com/fwlink/?LinkID=617297
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004c0d.bin
7acb840b02d73d59af4bfc0407d341ee1afc2d40ae93dc034e4bd40097c20ae5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4C0D 10096 bytes
font_01_sfnt_off00006c3c.bin
3def27fe024a3145f6a9cf24f467006c63758a23bb9ee9bd251e337dcf928c37		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C3C 7156 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.