Malicious PDF — malware analysis report

Static analysis result for SHA-256 0fcfaab100e2f8bf…

MALICIOUS

PDF

33.8 KB Created: 2018-06-11 09:51:34 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7)
MD5: 78c299192576f262b715c7bec4c70449 SHA-1: 1d153f840bef69dd2f078a55d5fccfb7852c425d SHA-256: 0fcfaab100e2f8bf0ffc582ec00eaf61495db7f6327b54951ea4cb56409ca128
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF was flagged by multiple heuristics as a fake download lure, specifically targeting users interested in bee-related topics. The embedded URLs point to a domain designed for distributing malicious files, and ClamAV identified it as a dropper. The primary attack vector is likely spearphishing, leading to the execution of a downloaded payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9454

Heuristics 5

  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • ClamAV: Pdf.Dropper.Agent-9090357-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-9090357-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=toward-saving-the-honeybee.pdf
    • http://uncpbisdegree.com/download4.php?q=toward-saving-the-honeybee.pdf
    • https://honeybeesuite.com/perfect-bee-suit/
    • https://honeybeesuite.com/robbing-bees-questions-and-answers/
    • http://www.thegardenerseden.com/?page_id=20236
    • https://www.biodynamics.com/
    • http://www.rmbooks.com/new_releases.php
    • http://www.rmbooks.com/book_details.php?isbn_upc=9781771600132
    • http://www.thegardenerseden.com/?cat=1355
    • http://vabf.org/conference-sessions/
    • https://lenpenzo.com/blog/id3976-good-personal-finance-habits-everyone-should-follow.html
    • https://www.beverlybees.com/how-to-autopsy-a-honey-bee-colony/
    • https://www.militarialinks.com/
    • http://www.u-tokyo.ac.jp/en/utokyo-research/
    • http://waywardspark.com/
    • http://honeycouncil.ca/archive/news.php?nType=WAS
    • http://pollinator.org/npw_events.htm
    • http://mcpeekracing.com/news.shtml
    • http://www.tostepharmd.net/hissoc/top100events.html
    • http://www.dailyspeculations.com/wordpress/?cat=205
    • http://riverside-resort.net/1/wiring-for-pioneer-p3800mp.pdf
    • http://uncpbisdegree.com/1/the-good-society-the-humane-agenda.pdf
    • http://uncpbisdegree.com/1/standing-with-the-church-in-syria-answered-prayer-give.pdf
    • http://uncpbisdegree.com/1/the-great-covenants-of-the-bible-bible-zionism-series-part-3.pdf
    • http://riverside-resort.net/1/wiley-plus-answer-key.pdf
    • http://uncpbisdegree.com/1/the-gods-will-have-blood.pdf
    • http://uncpbisdegree.com/1/solutions-pre-intermediate-workbook-answers.pdf
    • http://uncpbisdegree.com/1/summer-solutions-workbook.pdf
    • http://riverside-resort.net/1/world-history-textbook-answers-online.pdf
    • http://riverside-resort.net/1/zero-moment-the-joshua-files-3-mg-harris.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://en.wikipedia.org/wiki/Colony_collapse_disorder
    • https://www.theodysseyonline.com/step-saving-bees-feel-inclined
    • https://www.mariowiki.com/Super_Mario_Galaxy
    • http://www.elca.org/Resources/ELCA-World-Hunger
    • https://www.telegraph.co.uk/environment/
    • https://www.cnn.com/specials/living/eatocracy
    • https://en.wikipedia.org/wiki/Superbook
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409
    • https://go.microsoft.com/fwlink/?linkid=868922
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409
    • http://go.microsoft.com/fwlink/?LinkID=617297
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000484a.bin
c8cdfde67d3bdc48fa3fb0886c6e3729951e5e76b724b954678c28e7c8149ee6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x484A 10124 bytes
font_01_sfnt_off00006892.bin
cba72c7129f42fefdb0d0b3eaea3a00510cf1d2f9bddccc30f5cfe8202a1fc2c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6892 7308 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.