PDF malware analysis — malicious · 07c54b8fb8fee1f4

MALICIOUS

PDF

53.6 KB Created: 2018-06-11 08:48:40 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7)

MD5: d18e85dd542ca3e53969a72cefef32b1 SHA-1: c445beea94c45dce02a62451f5dd8afff237c61b SHA-256: 07c54b8fb8fee1f484100b288f778540e63766c1b935a4a3fa1aa6a70e96854e

162 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file is detected as malicious by ML classifiers and ClamAV, specifically identified as a 'Pdf.Dropper.Agent'. Critical heuristics indicate it's a fake 'free download' SEO-poisoning PDF, with embedded URLs pointing to 'uncpbisdegree.com'. These URLs are likely intended to deliver a second-stage payload disguised as a user manual.

Machine Learning

Nyx PDF Classifier malicious score 0.5613

Heuristics 5

Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD

The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
ClamAV: Pdf.Dropper.Agent-9250275-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-9250275-0
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://uncpbisdegree.com/download3.php?q=user-manual-carrier-heat-pump.pdf
- http://uncpbisdegree.com/download4.php?q=user-manual-carrier-heat-pump.pdf
- http://homeappliance.manualsonline.com/manuals/mfg/carrier/carrier_heat_pump_product_list.html
- https://all-guides.com/model/carrier/38aqs016.html
- https://all-guides.com/model/carrier/50hjq014.html
- https://www.manualagent.com/carrier/heat-pump
- https://manuals.world/manuals/carrier/carrier-heat-pump-38vyx080.html
- http://homeappliance.manualsonline.com/support/carrier/heat-pump/
- http://uncpbisdegree.com/1/the-holy-piby-the-blackmans-bible.pdf
- http://uncpbisdegree.com/1/the-ice-master-doomed-1913-voyage-of-karluk-jennifer-niven.pdf
- http://riverside-resort.net/1/va-career-view-word-search-answers.pdf
- http://riverside-resort.net/1/wiring-diagram-vw-lt-28.pdf
- http://uncpbisdegree.com/1/the-bounty-hunters-elmore-leonard.pdf
- http://uncpbisdegree.com/1/submerged-alaskan-courage-1-dani-pettrey.pdf
- http://riverside-resort.net/1/waec-biology-question-answer-for-2017-objective-and-essays.pdf
- http://uncpbisdegree.com/1/staffing-to-support-business-strategy-staffing-strategically.pdf
- http://uncpbisdegree.com/1/the-art-of-neighboring-building-genuine-relationships-right-outside-your-door-jay-pathak.pdf
- http://riverside-resort.net/1/visiting-mrs-nabokov-and-other-excursions-martin-amis.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://www.manualslib.com/brand/carrier/heat-pump.html
- https://www.manualslib.com/brand/
- https://www.manualslib.com/brand/carrier/
- https://www.manualslib.com/manual/751192/Carrier-Heat-Pump.html
- https://www.carrier.com/residential/en/us/products/heat-pumps/
- https://174104319.r.bat.bing.com/?ld=d30qvRE6btxziHFYfRh4oiKjVUCUweN3ko-Z_5ejly1JqyO6qh7X3KXn8ZPcdYQWgNwt6JtCecBuRkX6nNbcaZ0w8V_eL_pwba-x_GAH7wbsQZUIeCPGGvBU6qez9n5vxN0YsB5Qq4asdpVvNfXLeywtbWheTC7AkzM8mJENgdfF8UevSG&u=http%3a%2f%2fwww.info.com%2fCarrier%2520Heat%2520Pump%2520Manual%3fsegment%3dinfo.0377%26msclkid%3d%7bmsclkid%7d
- https://0.r.bat.bing.com/?ld=d3imq7rNujo9tlH0tFGwaSszVUCUzWliO3_8BPup12rFm9ilMZYPukawo8k3HNx9QzSL2j3APt4QNECJM5F867gWtkT4b5niIEkTt3cdmETKqIHcAAT1qoLy1Ffjsn4jW1jt67E6B686MohnPFpyFzlY14AeLW-BZurjdhoczFU67sld8d&u=www.productmanuals.org%2flp%2f%3fbrand%3dCarrier%26utm_source%3dadcenter%26utm_medium%3dcpc%26utm_term%3dcarrier%2520user%2520manual%26utm_network%3d%7b%7d%26utm_campaign%3dFM%2bBrands%2b02-03
- http://go.microsoft.com/fwlink/?LinkID=617350
- http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409
- http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409
- https://go.microsoft.com/fwlink/?linkid=868922
- http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409
- http://go.microsoft.com/fwlink/?LinkID=617297
- https://www.carrier.com/residential/en/us/products/heat-pumps
- https://165000794.r.bat.bing.com/?ld=d3G_4HoE9XkC59p50CtS7uVDVUCUxjcgUrJUcIC8piZ1nc7NDMc8En_Cc0YJl0CC7MO7hKNTlTf02U49vy3OqRZpAvUY56cY7XflZkvn0x9-FVEb8QXtHZU_S5wxhRV-U2Q75xPBkkXcLb2oMgplYEClKUsXn-jbaJ3eh2JnBDuzBezB4Q&u=https%3a%2f%2fdownloadsearch.cnet.com%2fs%3fq%3dcarrier%2bheat%2bpump%2bmanual%26qsrc%3d0%26src%3djo%26gch%3dAdNetB_CNET_19%26au%3d11652601%26tt%3dT0000148%26clickid%3d%7bmsclkid%7d%26utm_medium%3dcpc%26utm_source%3dbing%26utm_campaign%3dUSA_EN_00_P_BusinessIndustrial_TPSG00_oo_oo_S_A148%26ct%3d%26mkt%3dUSA%26ts%3db%26msclkid%3d%7bmsclkid%7d
- https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00008653.bin` `2a6ca3192b4744742a632cac7c73503702df34497afd757422b5e69322aa90b3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8653	14220 bytes
`font_01_sfnt_off0000b1b0.bin` `1d5cb2bc58b29e7a968d26dd474f3cd9fc331ead01cecdd99c4885c400af5eb0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB1B0	8368 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.