Malicious PDF — malware analysis report

Static analysis result for SHA-256 10e4e3e8bacd3761…

MALICIOUS

PDF

34.9 KB Created: 2018-06-11 08:12:56 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7)
MD5: 3db1206ca211da49f749864d2dc7f727 SHA-1: 73afd74510a9372235d6e3a9d86c20f736db94c3 SHA-256: 10e4e3e8bacd3761e27845503e84cbf1afef63e613e87e58f4c9436b20bd05bd
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The PDF document was flagged by a machine learning classifier and heuristics indicate it is a fake download lure, likely for SEO poisoning. The document body contains embedded URLs that point to a suspicious domain, suggesting an attempt to trick the user into downloading a malicious payload. The primary malicious URLs are http://uncpbisdegree.com/download3.php?q=tom-ned-and-kitty-an-intimate-portrait-of-an-irish-family.pdf and http://uncpbisdegree.com/download4.php?q=tom-ned-and-kitty-an-intimate-portrait-of-an-irish-family.pdf.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9395

Heuristics 4

  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=tom-ned-and-kitty-an-intimate-portrait-of-an-irish-family.pdf
    • http://uncpbisdegree.com/download4.php?q=tom-ned-and-kitty-an-intimate-portrait-of-an-irish-family.pdf
    • http://torrentz.eu/search.html
    • http://porno-rips.com/
    • http://www.hornywhores.net/
    • http://www.maryryan.com.au/good-book-guide.php?CategoryID=4
    • https://familyfeudcheat.com/family-feud-cheat-page-2/
    • http://www.venturacountyjazz.com/musician_bios
    • https://dar.fm/dev/
    • http://www.independentauthornetwork.com/book-directory.html
    • http://www.justatickets.com/Concerts
    • https://movie-list.com/archive.php
    • http://www.78rpm.co.uk/tvr.htm
    • http://helendoxfordharris.com.au/archives/category/vicindexes
    • http://helendoxfordharris.com.au/archives/category/vicindexes/criminal-other-case
    • http://www.bookpalace.com/acatalog/ArtistsBiographies.html
    • http://www.lextutor.ca/freq/lists_download/brown_freq.xls
    • http://riverside-resort.net/1/twelve-powers-in-you.pdf
    • http://riverside-resort.net/1/the-six-gun-tarot.pdf
    • http://riverside-resort.net/1/speco-g86ft70gp-speakers-owners-manual.pdf
    • http://riverside-resort.net/1/suzuki-swift-gti-power-windows-wiring.pdf
    • http://riverside-resort.net/1/the-kings-speech-how-one-man-saved-the-british-monarchy.pdf
    • http://riverside-resort.net/1/tender-offer.pdf
    • http://riverside-resort.net/1/ten-keys-to-successful-strategic-planning-for-nonprofit-and.pdf
    • http://riverside-resort.net/1/the-soul-of-the-marionette-a-short-enquiry-into-human-freedom.pdf
    • http://riverside-resort.net/1/tate-to-tate-a-walk-along-londons-south-bank.pdf
    • http://riverside-resort.net/1/the-quran-anonymous.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://abcnews.go.com/entertainment
    • https://www.amazon.com/movies-tv-dvd-bluray/b?node=2625373011
    • https://en.wikipedia.org/wiki/Special:Search
    • http://www.lib.berkeley.edu/MRC/socialclass.html
    • http://eu.nifty.org/nifty/authors.html
    • https://www.telegraph.co.uk/news/
    • https://y.qq.com/
    • http://www.microsofttranslator.com/bv.aspx?ref=SERP&br=ro&mkt=en-US&dl=en&lp=ZH-CHS_EN&a=https%3a%2f%2fy.qq.com%2f
    • https://us.macmillan.com/
    • http://music.163.com/
    • http://www.microsofttranslator.com/bv.aspx?ref=SERP&br=ro&mkt=en-US&dl=en&lp=ZH-CHS_EN&a=http%3a%2f%2fmusic.163.com%2f
    • http://translate.google.hu/
    • https://view.officeapps.live.com/op/view.aspx?src=http%3A%2F%2Fwww.lextutor.ca%2Ffreq%2Flists_download%2Fbrown_freq.xls
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409
    • https://go.microsoft.com/fwlink/?linkid=868922
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409
    • http://go.microsoft.com/fwlink/?LinkID=617297
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004d71.bin
4b26877d7ab9ce9ffabbc2fe81645d3420e2d2173e482ec4d18c6812efe240aa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4D71 10352 bytes
font_01_sfnt_off00006e69.bin
48a5c1a36bbb87de8c407055ff968184e95f2cc9a84aeb80a28e947194feca11		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E69 6748 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.