Malicious PDF — malware analysis report

Static analysis result for SHA-256 2a77513e698b27e3…

MALICIOUS

PDF

37.8 KB Created: 2018-06-11 08:47:25 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7) First seen: 2020-09-24
MD5: 49b0bf2669cffb8c281adc673e1e451e SHA-1: 4c758366e932a7ea938798c449194710b371fa5c SHA-256: 2a77513e698b27e3c3941ca0dca15789c08106430fccdeee58824b82cb7b556d
130 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.8839

Heuristics 4

  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARM
    PDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=wiring-diagram-6-5-chevrolet.pdf In PDF document text
    • http://uncpbisdegree.com/download4.php?q=wiring-diagram-6-5-chevrolet.pdfIn PDF document text
    • http://www.modifiedlife.com/request-a-chevrolet-car-radio-stereo-wiring-diagram/In PDF document text
    • http://www.tehnomagazin.com/Auto-radio-car-connector/CHEVROLET-Car-Radio-Wiring-Connector.htmIn PDF document text
    • http://www.modifiedlife.com/2004-chevrolet-silverado-c1500-car-audio-wiring-diagram/In PDF document text
    • https://www.automotive-manuals.net/chevrolet/In PDF document text
    • http://carbatteryrecyclingi.com/buy-28-volt-dewalt-battery/36.volt.battery.club.car.wiring.diagram=cb11315/In PDF document text
    • http://www.commandocaralarms.com/wiring/1998-/Chevrolet/silverado/492.htmlIn PDF document text
    • https://www.snoway.com/cm/pdfs/service/97101834D.pdfIn PDF document text
    • http://binatani.com/ez-go-golf-cart-wiring-diagram-electric-system/In PDF document text
    • http://binatani.com/cat/car-wiring-diagrams/In PDF document text
    • http://www.autogenius.info/chevrolet-express-2010-2015-fuse-box-diagram/In PDF document text
    • http://chevy.oldcarmanualproject.com/electrical/wiring/In PDF document text
    • http://www.autogenius.info/chevrolet-silverado-mk1-first-generation-1999-2007-fuse-box-diagram/In PDF document text
    • http://www.autorepairmanuals.biz/product/SK29863In PDF document text
    • http://www.megamanual.com/v22manual/mwire.htmIn PDF document text
    • https://www.automotive-manuals.net/holden/In PDF document text
    • https://www.auto-facts.org/automotive-wiring-diagrams/In PDF document text
    • http://www.1953chevrolet.com/1953_Chevrolet_Techinfo.htmIn PDF document text
    • http://www.hotrodders.com/forum/windshield-wiper-wiring-1966-chevelle-126876.htmlIn PDF document text
    • http://1931chevrolet.com/In PDF document text
    • http://www.livingfoodslindaloo.com/2017-chevrolet-c4500-series-manual.pdfIn PDF document text
    • http://www.chuckschevytruckpages.com/models.htmlIn PDF document text
    • http://batteryreconditioningezdiy.com/rechargeable.batteries.2016=c16745/In PDF document text
    • http://uncpbisdegree.com/1/the-art-of-marbling.pdfIn PDF document text
    • http://uncpbisdegree.com/1/stacks-of-kinematic-curves-answers.pdfIn PDF document text
    • http://riverside-resort.net/1/witchcraft-power-and-politics-exploring-the-occult-in-the-south-african-lowveld.pdfIn PDF document text
    • http://uncpbisdegree.com/1/stp-analysis-luxury-footwear.pdfIn PDF document text
    • http://uncpbisdegree.com/1/solar-energy-chemical-conversion-and-storage.pdfIn PDF document text
    • http://uncpbisdegree.com/1/steel-making-factory.pdfIn PDF document text
    • http://uncpbisdegree.com/1/the-design-patterns-smalltalk-companion.pdfIn PDF document text
    • http://uncpbisdegree.com/1/the-fire-chronicle.pdfIn PDF document text
    • http://uncpbisdegree.com/1/spray-the-work-of-howard-arkley.pdfIn PDF document text
    • http://uncpbisdegree.com/1/the-human-endocrine-system-worksheet-answers.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://www.manualslib.com/manual/376020/Chevrolet-Chevy-1957-1965-Wiring-Diagrams.htmlIn PDF document text
    • https://www.manualslib.com/brand/chevrolet/other.htmlIn PDF document text
    • https://www.manualslib.com/products/Chevrolet-Chevy-1957-1965-Wiring-Diagrams-2610686.htmlIn PDF document text
    • https://www.etrailer.com/faq-wiring.aspxIn PDF document text
    • http://www.fixya.com/cars/t3251846-need_diagram_routing_serpentine_beltIn PDF document text
    • http://www.fixya.com/cars/chevrolet/troubleshootIn PDF document text
    • http://www.fixya.com/cars/chevrolet/expressIn PDF document text
    • http://www.fixya.com/cars/p695567-chevrolet_2004_expressIn PDF document text
    • https://www.etrailer.com/Wiring/Hopkins/37185.htmlIn PDF document text
    • https://www.manualslib.com/manual/231550/Chevrolet-2005-Aveo.htmlIn PDF document text
    • https://www.manualslib.com/brand/chevrolet/In PDF document text
    • https://www.manualslib.com/brand/chevrolet/automobile.htmlIn PDF document text
    • https://www.manualslib.com/products/Chevrolet-2005-Aveo-3038148.htmlIn PDF document text
    • https://www.summitracing.com/parts/prf-30111In PDF document text
    +7 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005721.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5721 10184 bytes
SHA-256: 95dbe7ea1d10ba0ff493076ee39962656f925cb5aa8988e6f6a90e316884afd8
font_01_sfnt_off00007784.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7784 7124 bytes
SHA-256: e7b0968310f39fa5d952d7ba4daf9496aafc68b59b57c3a84b7c82dd624491b5

Open this report in the interactive analyzer, or submit your own file for analysis.