PDF malware analysis — malicious · 14b93d8426cc5e9a

MALICIOUS

PDF

30.2 KB Created: 2018-06-11 09:04:41 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7)

MD5: cded71a4bfc0d4299b369507471ecf3e SHA-1: de50ff4f9ef062c73df1922eab6f34ab712d7258 SHA-256: 14b93d8426cc5e9a38dc21f427a8dbd04345ac3f155eb97f68de9f21c1c834cf

102 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains heuristics indicating it is a fake download lure, specifically using SEO poisoning techniques. It embeds external URIs pointing to 'uncpbisdegree.com', which likely serves as a distribution point for malicious content. The ML classifier also flagged this PDF as malicious with high confidence.

Machine Learning

Nyx PDF Classifier malicious score 0.9375

Heuristics 4

Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD

The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://uncpbisdegree.com/download3.php?q=tornado-class-a1-new-peppercorn-a1-2008-onwards.pdf
- http://uncpbisdegree.com/download4.php?q=tornado-class-a1-new-peppercorn-a1-2008-onwards.pdf
- http://www.steamindex.com/locotype/thompep.htm
- https://www.p2steam.com/design/
- http://www.stuartblack.com/category/0/1/locamotive+prints/
- http://www.britishrailwaystories.com/
- http://www.normanwisenden.co.uk/sitemap.asp
- http://uncpbisdegree.com/1/statics-14th-edition.pdf
- http://riverside-resort.net/1/volvo-c70-check-engine-light.pdf
- http://riverside-resort.net/1/upcoming-comic-book-games.pdf
- http://uncpbisdegree.com/1/thai-reading-text-mostly-reading.pdf
- http://uncpbisdegree.com/1/stages-of-asbestosis.pdf
- http://uncpbisdegree.com/1/student-activity-workbook-answers-health.pdf
- http://uncpbisdegree.com/1/t-mobile-blackberry-pearl-user-guide.pdf
- http://riverside-resort.net/1/xml-study-guide.pdf
- http://riverside-resort.net/1/what-is-a-reflection-paper-format.pdf
- http://riverside-resort.net/1/voltage-supply-circuit-and-semiconductor-memory.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://en.wikipedia.org/wiki/Steam_train
- http://www.dictionary.com/e/s/word-of-the-year-list/
- http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409
- http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409
- https://go.microsoft.com/fwlink/?linkid=868922
- http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409
- http://go.microsoft.com/fwlink/?LinkID=617297
- https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00003bb7.bin` `111eaf8a8144e05142f46b4e2a1ab77086a7aa83268d69badb45acc4612addfc`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x3BB7	9888 bytes
`font_01_sfnt_off00005b5d.bin` `691060e7360bf4b75df121d8b71685ce2dedf4b80f2a1e032e6f60d5a2fe415f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5B5D	7452 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.