Malicious PDF — malware analysis report

Static analysis result for SHA-256 133aa3b506c4fbe6…

MALICIOUS

PDF

35.8 KB Created: 2018-06-11 08:43:08 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7)
MD5: 05d97354b514d03bb51ab18130054dfb SHA-1: 747fa2f2ce29841a14c4fe50ea1036881e096356 SHA-256: 133aa3b506c4fbe6a00eb1608a515911fdd4fc7a4a288301dcc04aec88a379d4
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document was flagged by an ML classifier and a specific heuristic for fake 'free download' SEO poisoning. It contains embedded URLs pointing to 'uncpbisdegree.com', which are likely intended to trick users into downloading a secondary payload. The document body also contains numerous links, further supporting the lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9027

Heuristics 4

  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=sydney-insight-pocket-guide.pdf
    • http://uncpbisdegree.com/download4.php?q=sydney-insight-pocket-guide.pdf
    • http://www.sydneyswans.com.au/player-profile/tom-papley
    • http://www.ourguide.com.au/tv_guide.php?r=Maryborough&w=now
    • https://pretraveller.com/best-pocket-wifi-rental-japan/
    • https://johnryanbydesign.co.uk/understanding-beds/pocket-springs/
    • https://johnryanbydesign.co.uk/understanding-beds/
    • http://www.gwsgiants.com.au/
    • http://www.pbcexpo.com.au/sydney/exhibitors/exhibitor-directory/
    • https://www.gbg-international.com/guide/
    • https://www.ytravelblog.com/planning-a-trip/
    • https://propertyupdate.com.au/property-investment-for-beginners/
    • http://www.mortgageaustralia.com.au/
    • https://officesnapshots.com/offices/
    • http://www.uwphotographyguide.com/index.php?q=blue-ringed-octopus
    • https://www.pointhacks.com.au/qantas-round-the-world-classic-award-guide/
    • http://disneycruiselineblog.com/2017/01/book-review-the-unofficial-guide-to-disney-cruise-line-2017/
    • http://www.justinholman.com/2014/02/18/the-3-lessons-i-learned-when-i-accidentally-bought-a-liquor-store/
    • https://www.gentlemansgazette.com/worsted-wool-suiting-guide/
    • https://www.cleverism.com/authentic-leadership-guide/
    • http://willkempartschool.com/an-art-material-addicts-guide-to-becoming-a-minimalist-urban-sketcher/
    • http://www.bibme.org/
    • https://www.cleverism.com/18-best-idea-generation-techniques/
    • http://www.exploreaustralia.net.au/Victoria/Melbourne
    • http://www.exploreaustralia.net.au/Victoria
    • http://www.victoryarchery.com/dealer-locator/
    • http://www.hornywhores.net/
    • http://riverside-resort.net/1/the-heart-an-orthodox-christian-spiritual-guide.pdf
    • http://riverside-resort.net/1/transfer-comic-books-to-kindle.pdf
    • http://riverside-resort.net/1/the-last-man-across-the-atlantic.pdf
    • http://riverside-resort.net/1/undergraduate-scholarships-for-egyptian-students-2018.pdf
    • http://riverside-resort.net/1/sony-dcra-c171-manual.pdf
    • http://riverside-resort.net/1/the-secret-lives-of-fortunate-wives-sarah-strohmeyer.pdf
    • http://riverside-resort.net/1/teatro-completo-4.pdf
    • http://riverside-resort.net/1/streetwise-marketing-plan.pdf
    • http://riverside-resort.net/1/shakespeares-metrical-art.pdf
    • http://riverside-resort.net/1/tnpsc-group-4-question-paper-with-answers-in-tamil.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://www.zdnet.com/topic/
    • https://en.wikipedia.org/wiki/List_of_programs_broadcast_by_Seven_Network
    • http://www.dailymail.co.uk/travel/article-2145800/Budget-travel-How-man-travelled-Germany-Antarctica--penny-pocket.html
    • https://en.wikipedia.org/wiki/Entertainment
    • http://www.abc.net.au/abc3/shows/
    • https://www.theage.com.au/sport
    • http://www.lva.virginia.gov/public/guides/civil-war.htm
    • http://www.lva.virginia.gov/public/guides/
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409
    • https://go.microsoft.com/fwlink/?linkid=868922
    +3 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005053.bin
6a323e8b4891ba0e45de21707a1356eeeb31c95c285c7d046888d072e8cf42b0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5053 10136 bytes
font_01_sfnt_off000070b0.bin
dca6de3cec95501c69e7d175c3d188f4a70d7601764b007d9e522ab8834c8a6b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70B0 6920 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.