Malicious PDF — malware analysis report

Static analysis result for SHA-256 10ead5f8f4faf8c6…

MALICIOUS

PDF

34.3 KB Created: 2018-06-11 08:47:55 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7)
MD5: a70001aa5e4bf340e85c5558252256c5 SHA-1: 04caf47381ae103bcb1345a14b25d4977fcb7147 SHA-256: 10ead5f8f4faf8c6c3419a7194869c06285dc7b3af518577616b2367b600e932
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document is classified as malicious by an ML classifier and contains heuristics indicating it is a fake download lure designed for SEO poisoning. It embeds URLs that lead to a download page, likely serving a malicious payload. The document body contains text and URLs related to 'sketchup 7 user manual', suggesting a pretext for the malicious download.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9340

Heuristics 4

  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=sketchup-7-user-manual.pdf
    • http://uncpbisdegree.com/download4.php?q=sketchup-7-user-manual.pdf
    • http://www.sketchuptexture.com/search/label/BACKGROUNDS
    • http://www.thomthom.net/thoughts/2012/08/dealing-with-units-in-sketchup/
    • http://www.thomthom.net/thoughts/2012/02/definitions-and-instances-in-sketchup/
    • http://www.dhobh.net/trainz/GoogleSketchUp/RubyTMIX.htm
    • http://www.sketchupartists.org/tutorials/sketchup-and-v-ray/lighting-with-v-ray-for-sketchup-definitive-guide-part-1/
    • http://www.renderplus.com/wp2/wk/IRender_nXt.htm
    • http://www.globalmapper.com/helpv14/Help_MenuBarAndToolBar.html
    • http://download.skalp4sketchup.com/downloads/latest/
    • http://www.tocact.org.au/?page_id=650
    • https://blog.protoneer.co.nz/arduino-cnc-shield/
    • http://www.reefball.org/tm/tm/tm.htm
    • https://craftunique.com/craftware/
    • http://isicad.net/articles.php?article_num=14805
    • http://hamburggermany.men/Jaboatao_Dos_Guarapes-Brazil/Jaboatao_Dos_Guarapes-Brazil_v.php
    • http://www.fullspectrumengineering.com/forums/viewforum.php?f=3
    • http://riverside-resort.net/1/sony-vgn-tt290n-laptops-owners-manual.pdf
    • http://riverside-resort.net/1/the-cooperative-game-theory-of-networks-and-hierarchies-1st-edition.pdf
    • http://riverside-resort.net/1/the-first-world-war-germany-and-austria-hungary-1914-1918-2nd-edition.pdf
    • http://riverside-resort.net/1/sony-vgn-fs760w-laptops-owners-manual.pdf
    • http://riverside-resort.net/1/this-incomparable-land-a-guide-to-american-nature.pdf
    • http://riverside-resort.net/1/thermador-dishwasher-installation-manual.pdf
    • http://riverside-resort.net/1/sylvania-lv426g-vcrs-owners-manual.pdf
    • http://riverside-resort.net/1/the-antichrist-peter-owen-modern-classics.pdf
    • http://riverside-resort.net/1/shl-test-questions-and-answers-java.pdf
    • http://riverside-resort.net/1/suzuki-repair-manual-free.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://help.sketchup.com/en/article/141303
    • https://extensions.sketchup.com/en/content/2014-dibac-sketchup
    • https://extensions.sketchup.com/en/content/flatten-faces
    • http://www.instructables.com/id/SketchUp-Inkscape-and-Ponoko-Laser-Cutting/
    • http://sketchucation.com/resources/tutorials/108-installing-sketchup-plugins
    • https://www.xnview.com/en/xnview.php
    • https://en.wikipedia.org/wiki/CAD
    • http://www.geocities.co.jp/SiliconValley-SanJose/2485/image_soft_compare.html
    • http://www.microsofttranslator.com/bv.aspx?ref=SERP&br=ro&mkt=en-US&dl=en&lp=JA_EN&a=http%3a%2f%2fwww.geocities.co.jp%2fSiliconValley-SanJose%2f2485%2fimage_soft_compare.html
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409
    • https://go.microsoft.com/fwlink/?linkid=868922
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409
    • http://go.microsoft.com/fwlink/?LinkID=617297
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000499d.bin
24bde3e294375b9764e49dd875fefc51bc55a8637ee473692c0a51055abaa783		 pdf-font-stream PDF embedded font (sfnt) at offset 0x499D 10784 bytes
font_01_sfnt_off00006bc2.bin
7e219ed51f3e4b9ae81db6e4d1bbc7aa10687124ecced197c0a3c727bfe05f2d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6BC2 6864 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.