Malicious PDF — malware analysis report

Static analysis result for SHA-256 0fc21033dae78048…

MALICIOUS

PDF

35.8 KB Created: 2018-06-11 09:06:01 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7)
MD5: 8823f29b1c1ebed03d1fc0deb4fe76a4 SHA-1: 04f6246ea5e23114c055656f69bc737ec8152cef SHA-256: 0fc21033dae780486182f37c35cc7946a9ca2acfd16725ba83b1744929bc8cac
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The PDF is flagged as a fake download lure using SEO poisoning, directing users to download a file from a suspicious URL. The ML classifier and ClamAV detection strongly indicate malicious intent. The primary goal appears to be tricking users into downloading a malicious payload disguised as a legitimate document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9963

Heuristics 5

  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • ClamAV: Pdf.Dropper.Agent-9227674-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-9227674-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=solutions-manual-dynamic-soil-structure-interaction-wolf.pdf
    • http://uncpbisdegree.com/download4.php?q=solutions-manual-dynamic-soil-structure-interaction-wolf.pdf
    • http://www.triconference.com/tricon/Speakers/
    • http://www.information-iii.org/abs_e2.html
    • http://sovietbooks.in/
    • http://www.bibme.org/
    • http://www.ngwa.org/Events-Education/Pages/instructor-bios.aspx
    • http://www.ipu.ac.in/syllabus/symtekit2.htm
    • http://quartzpage.de/info_lit.html
    • http://origin.org/
    • http://www.ijera.com/pages/v3no2.html
    • http://www.rexresearch.com/1index.htm
    • http://www.biologyjunction.com/ChapterOutlines_final.doc
    • http://www.lextutor.ca/freq/lists_download/brown_freq.xls
    • http://uncpbisdegree.com/1/systems-analysis-and-design-questions-solutions.pdf
    • http://uncpbisdegree.com/1/staar-biology-eoc-practice-test-answer-guide.pdf
    • http://uncpbisdegree.com/1/the-end-times-in-chronological-order-a-complete-overview-to-understanding-bible-prophecy.pdf
    • http://uncpbisdegree.com/1/short-responses-3rd-grade-ela.pdf
    • http://riverside-resort.net/1/university-physics.pdf
    • http://uncpbisdegree.com/1/spanish-workbook-mcgraw-hill-answers.pdf
    • http://riverside-resort.net/1/web-of-angels-lilian-nattel.pdf
    • http://riverside-resort.net/1/wirral-street-atlas-a-z-street-atlas.pdf
    • http://uncpbisdegree.com/1/sony-vcl-hg0862-owners-manual.pdf
    • http://uncpbisdegree.com/1/tao-the-pathless-path.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://en.wikipedia.org/wiki/Soil
    • http://dx.doi.org/
    • https://chi2018.acm.org/attending/proceedings/
    • https://www.psychologytoday.com/us/blog/inside-the-box/201402/thinking-outside-the-box-misguided-idea
    • https://pt.wikipedia.org/wiki/Livro_digital
    • http://www.microsofttranslator.com/bv.aspx?ref=SERP&br=ro&mkt=en-US&dl=en&lp=PT_EN&a=https%3a%2f%2fpt.wikipedia.org%2fwiki%2fLivro_digital
    • https://www.onelook.com/pm/
    • http://ualr.edu/catalogs/undergraduate-catalog/course-codes/
    • https://www.mindat.org/min-3337.html
    • https://www.sciencedirect.com/science/article/pii/S2214753514000102
    • https://en.wikipedia.org/wiki/Terrorism
    • https://view.officeapps.live.com/op/view.aspx?src=http%3A%2F%2Fwww.biologyjunction.com%2FChapterOutlines_final.doc
    • http://www.loot.co.za/index/html/index80.html
    • http://www.nairaland.com/672198/great-speeches-african-black-history
    • https://y.qq.com/
    • http://www.microsofttranslator.com/bv.aspx?ref=SERP&br=ro&mkt=en-US&dl=en&lp=ZH-CHS_EN&a=https%3a%2f%2fy.qq.com%2f
    • http://slatestarcodex.com/2017/11/29/open-thread-89-75/
    • https://view.officeapps.live.com/op/view.aspx?src=http%3A%2F%2Fwww.lextutor.ca%2Ffreq%2Flists_download%2Fbrown_freq.xls
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409
    • https://go.microsoft.com/fwlink/?linkid=868922
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409
    • http://go.microsoft.com/fwlink/?LinkID=617297
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004fd8.bin
888d04171c5ae6568926747a77aa954b835d43ab696ecac9b4073894da938a1f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4FD8 10476 bytes
font_01_sfnt_off0000710a.bin
6ce3c23ea68f1783734799fa4d35e2221c0fc4c8c8e206b289f8622cdede2f56		 pdf-font-stream PDF embedded font (sfnt) at offset 0x710A 6924 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.