Malicious PDF — malware analysis report

Static analysis result for SHA-256 149e077f83b7bffa…

MALICIOUS

PDF

30.8 KB Created: 2018-06-11 08:20:32 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7)
MD5: c81148a21a2f2f7db1bff3e80393d19f SHA-1: 18ab7515fb25a19c2290a93ea9d283baafd51247 SHA-256: 149e077f83b7bffa6dc8205f22b2d50ff16e2965c47e44c971b6370f528bec4d
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

This PDF was flagged by an ML classifier as malicious and exhibits characteristics of SEO poisoning, directing users to download potentially harmful files. The document body contains embedded URLs that mimic search results and lead to download pages, suggesting a lure to trick users into downloading malware disguised as a user guide. The primary malicious URLs identified are http://uncpbisdegree.com/download3.php?q=viewsonic-vx2262wm-user-guide.pdf and http://uncpbisdegree.com/download4.php?q=viewsonic-vx2262wm-user-guide.pdf.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9375

Heuristics 4

  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=viewsonic-vx2262wm-user-guide.pdf
    • http://uncpbisdegree.com/download4.php?q=viewsonic-vx2262wm-user-guide.pdf
    • http://riverside-resort.net/1/tae-kwon-do-theory-white-belt-to-1st-dan-black-belt.pdf
    • http://riverside-resort.net/1/siemens-speedstream-2105-switches-owners-manual.pdf
    • http://riverside-resort.net/1/sonicare-rebate-2017.pdf
    • http://riverside-resort.net/1/uace-literature-books-on-the-2018-ugandan-syllabus.pdf
    • http://riverside-resort.net/1/suzuki-40hp-outboard-repair-manual.pdf
    • http://riverside-resort.net/1/solutions-elementary-oxford-2nd-edition.pdf
    • http://riverside-resort.net/1/tarek-ahmed-reservoir-engineering-handbook.pdf
    • http://riverside-resort.net/1/the-first-annual-grand-prairie-rabbit-festival-ken-wheaton.pdf
    • http://riverside-resort.net/1/smoke-and-mirrors-the-hidden-context-of-violence-in-schools-and-society.pdf
    • http://riverside-resort.net/1/twenty-first-century-science-gcse-physics-student-book-2-e.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://www.manualslib.com/manual/418365/Viewsonic-Vx2262wm-22-Lcd-Monitor.html
    • https://www.manualslib.com/brand/viewsonic/monitor.html
    • https://www.manualslib.com/products/Viewsonic-Vx2262wm-22-Lcd-Monitor-59887.html
    • https://www.manualslib.com/manual/1304221/Viewsonic-Ifp5550.html
    • https://www.manualslib.com/brand/viewsonic/
    • https://www.manualslib.com/products/Viewsonic-Ifp5550-8782454.html
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409
    • https://go.microsoft.com/fwlink/?linkid=868922
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409
    • http://go.microsoft.com/fwlink/?LinkID=617297
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003d05.bin
1fbfe9f94d49a0a5232fda05d217c101f6b9c4df483901e5a2b0788934e6ab2c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3D05 10432 bytes
font_01_sfnt_off00005e2d.bin
4a380ff4d8387f0c429f4eaf2ea2270ffdb1b6b024f21c0256518c993d44dd3f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E2D 7316 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.