Malicious PDF — malware analysis report

Static analysis result for SHA-256 295e58c73c6145c9…

MALICIOUS

PDF

67.1 KB Created: 2018-06-11 09:41:15 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7)
MD5: e28c033bd483293ff547bd021c41e523 SHA-1: 092529a29dd332f44ebd5e417ffae2e26c658bb0 SHA-256: 295e58c73c6145c93927399ff08447939787acd50fabf009e16aac799529ae6a
72 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The file is identified as a PDF by ClamAV with the signature Pdf.Dropper.Agent-9645413-0. It contains a heuristic firing for a visual download button, suggesting a social engineering lure. The PDF also embeds an external URI pointing to a suspicious URL, likely intended to host or deliver a secondary payload. The document body is heavily obfuscated and contains binary data, indicating it is not a standard document.

Heuristics 4

  • ClamAV: Pdf.Dropper.Agent-9645413-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-9645413-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=suzuki-grand-vitara-xl-7-escudo-1997-2004-rus.pdf
    • http://uncpbisdegree.com/download4.php?q=suzuki-grand-vitara-xl-7-escudo-1997-2004-rus.pdf
    • http://apfela.de/suzuki/grand/suzuki_grand_vitara_xl_7_escudo_1997_2004_rus.pdf
    • http://ubaleh.de/suzuki/grand/suzuki_grand_vitara_xl_7_escudo_1997_2004_rus.pdf
    • http://sonorasda.com/reads-online/suzuki-grand-vitara-xl-7-escudo-1997-2004-rus.pdf
    • http://tooyou.de/suzuki/grand/suzuki_grand_vitara_xl_7_escudo_1997_2004_rus.pdf
    • http://shop.demdernek.org/Suzuki/Grand/Suzuki~Grand~Vitara~Xl~7~Escudo~1997~2004~Rus.pdf
    • http://doveco.de/suzuki/grand/suzuki_grand_vitara_xl_7_escudo_1997_2004_rus.pdf
    • http://zachoehlman.com/download/doc/suzuki-grand-vitara-xl-7-escudo-1997-2004-rus.pdf
    • http://nade2017okc.com/reads-online/suzuki-grand-vitara-xl-7-escudo-1997-2004-rus.pdf
    • http://riverside-resort.net/1/sony-dsc-w50-service-manual.pdf
    • http://riverside-resort.net/1/the-wave-in-pursuit-of-the-rogues-freaks-and-giants-of-the-oce.pdf
    • http://riverside-resort.net/1/the-american-promise-5th-edition-ebook.pdf
    • http://riverside-resort.net/1/toyota-electric-forklift-service-manual.pdf
    • http://riverside-resort.net/1/under-the-light-2-laura-whitcomb.pdf
    • http://riverside-resort.net/1/the-mind-at-night-new-science-of-how-and-why-we-dream-andrea-rock.pdf
    • http://riverside-resort.net/1/the-third-world-war-the-untold-story.pdf
    • http://riverside-resort.net/1/survival-guide-for-physical-chemistry.pdf
    • http://riverside-resort.net/1/soundwaves-7-unit-19-answers.pdf
    • http://riverside-resort.net/1/stratford-as-connected-with-shakespeare-and-the-bard-apos-s-rural-haunts.pdf
    • https://www.scribd.com/document/267080163/Suzuki-Grand-Vitara-XL-7-Escudo-1997-2004-RUS
    • https://32001169.r.bat.bing.com/?ld=d32-LELJQAAZzXotHkU-FfBzVUCUyTv3KI6b5jqEtQtQ7qzn8xUMN8CiMhRub5gCGgP62v8IUb7jy05OEAaLCeIDNYnhNnnWbdF0RyhuaZSFz9Y1Gj8R1aujBo7LU8U6eIEyYB8Aniz5G68b9QLnB4M56bzn_Q3jneQ3L5g5F4fQepncYh&u=http%3a%2f%2ftracker.marinsm.com%2frd%3fcid%3d262854n559168%26mkwid%3dxpr9BdEn_dc%7cpcrid%7c78477672772859%7cslid%7c%7ctid%7c26285qth51872%26lp%3dhttps%253A%252F%252Fwww.kbb.com%252Fsuzuki%252Fxl-7%252F%253Fpsid%253D99999%2526siomid%253Dxpr9BdEn_dc%257C78477672772859%257C%252BSuzuki%2520%252BXL-7%257Cbb%257C26285qth51872
    • http://www.bbb.org/sdoc/business-reviews/appraisers/kelley-blue-book-in-irvine-ca-22499/
    • https://32254.r.bat.bing.com/?ld=d3UuBSgFnF0XrL-yAkhd-dgzVUCUz6oFV5eSblEXD4qvp91jH4CPfxmyEFuoACs4ENyBqa4dNvMoXzfIKb2TEojvgf56cjR8PORtx7aCdHxQL0V1n08tJdKou8aCyP2GZrhcCXfnb1_qnsUPS7jIjFiFF-th455QCYWv_NCypCESb9iYUL&u=http%3a%2f%2fsuzukicarparts.com%2f
    • https://0.r.bat.bing.com/?ld=d3v5IPzkoBFvpnaeH2gZT48DVUCUyHhq3WZwXaWOb_jBi4wZpClmdygq43DDnZFat0ILdNysaRoUoh_JbWNa24C1RXV-azeZJabLyhap3Jo1cBhrgwM0xJSJrLrTG8oX7TA_eljTZN4m5TTaAHpsSZzojZwjjvPN2Jc9uy3z_nqM8wULPt&u=http%3a%2f%2ftracker.marinsm.com%2frd%3fcid%3d262854n559168%26mkwid%3d9G7WeiLB_dc%7cpcrid%7c73873524886252%7cslid%7c%7ctid%7c26285djp59179%26lp%3dhttps%253A%252F%252Fwww.autotrader.com%252Fcars-for-sale%252FSuzuki%252FXL7%253FLNX%253DSPBINGNONBRANDMAKE%2526cid%253D9G7WeiLB_dc%257Cpcrid%257C73873524886252%257Cslid%257C%257Ctid%257C26285djp59179%26msclkid%3d%7bmsclkid%7d
    • https://www.bbb.org/atlanta/business-reviews/auto-dealers-used-cars/autotradercom-in-brookhaven-ga-6002261
    • http://go.microsoft.com/fwlink/?LinkID=617350
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409
    • https://go.microsoft.com/fwlink/?linkid=868922
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409
    • http://go.microsoft.com/fwlink/?LinkID=617297

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b72a.bin
6072c9af16c811a80284d3cc6ab40c26700f0ee2980662ec3a44b1c80398ca28		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB72A 14700 bytes
font_01_sfnt_off0000e3ac.bin
97f5096c49f542b207b9fcfe24265308520fee527e30ec535f96f7c6fd223224		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE3AC 9568 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.