Malicious PDF — malware analysis report

Static analysis result for SHA-256 1d39edeeefcf5fa3…

MALICIOUS

PDF

32.2 KB Created: 2018-06-11 09:33:35 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7) First seen: 2021-11-03
MD5: 24aad916e834b1fedebdb37bb4b6b933 SHA-1: 7c883d3004172948823c4b030d537ca8ebdbfd6d SHA-256: 1d39edeeefcf5fa31e1c3d3b00b5d8d208496f6ccc658860b0c5066f088b8b22
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF file was identified as malicious by ML classifiers and ClamAV, specifically flagged as a 'Pdf.Dropper.Agent'. It employs SEO poisoning to trick users into downloading a payload from the URL http://uncpbisdegree.com/download3.php. The document body contains obfuscated text and embedded URLs, suggesting an attempt to disguise its malicious intent and facilitate the download of a secondary stage.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9326

Heuristics 5

  • ClamAV: Pdf.Dropper.Agent-9210854-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-9210854-0
  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=three-french-writers-and-the-great-war-studies-in-the-rise-of-communism-and-fascism.pdf PDF link annotation
    • http://uncpbisdegree.com/download4.php?q=three-french-writers-and-the-great-war-studies-in-the-rise-of-communism-and-fascism.pdfIn PDF document text
    • http://www.123helpme.com/search.asp?text=spanish+civil+warIn PDF document text
    • http://www.easyessays.org/In PDF document text
    • http://riverside-resort.net/1/the-mixer-bible-recipes-stand.pdfIn PDF document text
    • http://riverside-resort.net/1/social-therapy-a-guide-to-social-support-interventions-for-mental-health-practitioners.pdfIn PDF document text
    • http://riverside-resort.net/1/solution-manual-for-structural-analysis-hibbeler-8th-edition.pdfIn PDF document text
    • http://riverside-resort.net/1/shl-talent-measurments-answers.pdfIn PDF document text
    • http://riverside-resort.net/1/the-difference-engine.pdfIn PDF document text
    • http://riverside-resort.net/1/the-sewer-sleuth-sparks.pdfIn PDF document text
    • http://riverside-resort.net/1/sharp-gx17-user-guide.pdfIn PDF document text
    • http://riverside-resort.net/1/the-sage-handbook-of-innovation-in-social-research-methods.pdfIn PDF document text
    • http://riverside-resort.net/1/symphonic-vr60wf-vcrs-owners-manual.pdfIn PDF document text
    • http://riverside-resort.net/1/select-works-of-sri-sankaracharya-sanskrit-text-with-english-translation.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://en.wikipedia.org/wiki/FeminismIn PDF document text
    • https://en.wikipedia.org/wiki/French_RevolutionIn PDF document text
    • http://www.jstor.org/publisher/umnpressIn PDF document text
    • http://www.jstor.org/subject/historyIn PDF document text
    • http://tvtropes.org/pmwiki/pmwiki.php/UsefulNotes/PoliticalIdeologiesIn PDF document text
    • https://www.encyclopedia.com/social-sciences-and-law/political-science-and-government/political-science-terms-and-concepts-15In PDF document text
    • https://www.encyclopedia.com/social-sciences-and-law/political-science-and-governmentIn PDF document text
    • http://www.newworldencyclopedia.org/entry/World_War_IIn PDF document text
    • https://nyupress.org/books/In PDF document text
    • https://www.washingtontimes.com/communities/In PDF document text
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409In PDF document text
    • https://go.microsoft.com/fwlink/?linkid=868922In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=617297In PDF document text
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000043be.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x43BE 10048 bytes
SHA-256: 1b75e0e58630299584f47b2725c450bd05d7254d8a4763a27e858f59dd88b046
font_01_sfnt_off000063ca.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x63CA 7152 bytes
SHA-256: 5c647e4b4c62318a4b19beef3c82123675e61f8ca35ea366db219a75c31d42e7