Malicious PDF — malware analysis report

Static analysis result for SHA-256 051f06f3e4a92e63…

MALICIOUS

PDF

33.9 KB Created: 2018-06-11 08:24:16 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7)
MD5: da7ba596c2437dcfbd0f46f8bc563346 SHA-1: 4d75d59c7eeb083482e8aefb3c355e5d281a3252 SHA-256: 051f06f3e4a92e6306df1fd8721da28806ea67b48f3d5b0299623ba9cd081c33
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious by an ML classifier and contains heuristics indicating it is a fake download lure using SEO poisoning. The document body and embedded links point to URLs designed to trick users into downloading further malicious content, masquerading as academic resources. The primary malicious URLs are http://uncpbisdegree.com/download3.php?q=solutions-to-differential-equations.pdf and http://uncpbisdegree.com/download4.php?q=solutions-to-differential-equations.pdf.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9340

Heuristics 4

  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=solutions-to-differential-equations.pdf
    • http://uncpbisdegree.com/download4.php?q=solutions-to-differential-equations.pdf
    • http://www.sosmath.com/diffeq/diffeq.html
    • http://jackmathsolutions.com/images/CHAPTER_15revaug.pdf
    • http://faculty.olin.edu/bstorey/Notes/DiffEq.pdf
    • http://www.mathpages.com/home/icalculu.htm
    • http://www.supermath.info/DEqns.html
    • http://www.e-booksdirectory.com/listing.php?category=93
    • http://www.e-booksdirectory.com/listing.php?category=3
    • http://www.e-booksdirectory.com/listing.php?category=34
    • http://www.global-sci.org/jpde/
    • http://www.slader.com/textbook/9781111827069-differential-equations-with-boundary-value-problems-eighth-edition/
    • http://javeeh.net/lecnotes/odes.pdf
    • http://www.phengkimving.com/
    • http://uncpbisdegree.com/1/t-hub-user-guide.pdf
    • http://uncpbisdegree.com/1/study-guide-for-content-mastery-climate.pdf
    • http://uncpbisdegree.com/1/tally-solutions-download.pdf
    • http://uncpbisdegree.com/1/the-fatal-egg-and-other-soviet-satire-evergreen-book.pdf
    • http://uncpbisdegree.com/1/sqa-maths-exam-2015-answers.pdf
    • http://uncpbisdegree.com/1/student-workbook-for-emergency-care-and-transportation-of-the-sick-and-injured.pdf
    • http://uncpbisdegree.com/1/sp3d-operator-training-guide.pdf
    • http://uncpbisdegree.com/1/site-for-2017-bece-answers.pdf
    • http://riverside-resort.net/1/zen-therapy.pdf
    • http://uncpbisdegree.com/1/tesco-application-form-answers-2015.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://tutorial.math.lamar.edu/Classes/DE/DE.aspx
    • http://tutorial.math.lamar.edu/Classes/DE/SeriesSolutions.aspx
    • https://www.khanacademy.org/math/differential-equations/first-order-differential-equations
    • https://en.wikipedia.org/wiki/Numerical_ordinary_differential_equations
    • https://en.wikipedia.org/wiki/Ordinary_differential_equation
    • https://www.khanacademy.org/math/differential-equations
    • https://www.khanacademy.org/math
    • https://ocw.mit.edu/courses/mathematics/18-03-differential-equations-spring-2010/
    • https://www.mathworks.com/help/matlab/ordinary-differential-equations.html
    • https://ocw.mit.edu/resources/res-18-008-calculus-revisited-complex-variables-differential-equations-and-linear-algebra-fall-2011/study-materials/
    • https://www.coursera.org/learn/ordinary-differential-equations
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409
    • https://go.microsoft.com/fwlink/?linkid=868922
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409
    • http://go.microsoft.com/fwlink/?LinkID=617297
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000485a.bin
71b7c9d3a9da3f91a70ffce4005c0a99443b3b2cbed8dff949a5f599f53c23c1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x485A 10680 bytes
font_01_sfnt_off00006a4f.bin
385b4df6e87d12c94b9a08cee115f431a30c53086c3e0a2dc1cafa38b8105100		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A4F 6996 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.