Malicious PDF — malware analysis report

Static analysis result for SHA-256 2d9852546ad9831a…

MALICIOUS

PDF

36.3 KB Created: 2018-06-11 09:13:23 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7) First seen: 2020-08-25
MD5: ae3d6086ff910dc5f37f024a2a8d49d5 SHA-1: 65c261ebe2b6891eb63e792158f6008c223094f7 SHA-256: 2d9852546ad9831a66e11539c34561612096cb8b3b98e0508a1d5dee67fb0fbb
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment

The PDF file contains embedded URLs and document body text that mimic a download page for 'tower crane test questions and answers'. The presence of a 'download button' heuristic and the ML classifier flagging the PDF as malicious strongly suggest a phishing or social engineering attempt. The primary URLs point to a domain that appears to be hosting malicious content, likely intended to deliver a payload or redirect the user to a further malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9062

Heuristics 4

  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARM
    PDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=tower-crane-test-questions-and-answers.pdf In PDF document text
    • http://uncpbisdegree.com/download4.php?q=tower-crane-test-questions-and-answers.pdfIn PDF document text
    • http://www.nccco.org/nccco/certification-programs/mobile-crane-operator/written-exam/sample-test-questions/answersIn PDF document text
    • http://nccco.org/nccco/certification-programs/mobile-crane-operator/written-exam/sample-test-questions/questionsIn PDF document text
    • http://www.courses.com.ph/heavy-equipment-operation-tower-crane-nc-ii-tesda-course-philippines/In PDF document text
    • http://www.allergybegone.com/info.htmlIn PDF document text
    • http://riverside-resort.net/pdfs/nccco-rigging-practice-test.pdfIn PDF document text
    • http://www.ccmgroup.co.uk/a61.pdfIn PDF document text
    • http://www.whatispiping.com/spring-hangers-common-interview-questions-with-answersIn PDF document text
    • http://www.whatispiping.com/category/piping-stress-analysisIn PDF document text
    • http://www.whatispiping.com/category/spring-hangerIn PDF document text
    • https://jwlabs.com/rife-technology-2/technical-explanation/rife-machine-faqs/In PDF document text
    • https://jwlabs.com/rife-technology-2/In PDF document text
    • https://jwlabs.com/rife-technology-2/technical-explanation/In PDF document text
    • http://www.regencytower.net/special_updates.htmIn PDF document text
    • http://www.whatispiping.com/piping-stress-job-interview-questions-part-2In PDF document text
    • http://www.whatispiping.com/category/piping-stressIn PDF document text
    • http://nuclearweaponarchive.org/Nwfaq/Nfaq8.htmlIn PDF document text
    • https://www.sylvane.com/formaldehyde-test-kit.htmlIn PDF document text
    • http://wirelessestimator.com/articles/category/industry-news/featured-news/In PDF document text
    • http://www.wotsummary.com/In PDF document text
    • http://www.datagrabber.org/family-feud-facebook-game/facebook-family-feud-answer-list/In PDF document text
    • http://askthephysicist.com/ask_phys_q&a_old4.htmlIn PDF document text
    • http://8bs.com/catalogue.htmIn PDF document text
    • http://riverside-resort.net/1/wikipedia-uss-george-washington.pdfIn PDF document text
    • http://riverside-resort.net/1/world-bank-summer-internship.pdfIn PDF document text
    • http://uncpbisdegree.com/1/stamp-act.pdfIn PDF document text
    • http://uncpbisdegree.com/1/the-atlas-of-france-first-discovery-atlas.pdfIn PDF document text
    • http://uncpbisdegree.com/1/splendor-of-the-church.pdfIn PDF document text
    • http://riverside-resort.net/1/zine-yearbook-vol-9-zines.pdfIn PDF document text
    • http://uncpbisdegree.com/1/sharp-pg-f211x-manual.pdfIn PDF document text
    • http://uncpbisdegree.com/1/stamitz-karl-violin-konzert-violon-piano.pdfIn PDF document text
    • http://uncpbisdegree.com/1/systems-understanding-aid-8th-edition-walkthrough-480.pdfIn PDF document text
    • http://riverside-resort.net/1/wiring-diagram-lancer-glx.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.instructables.com/id/KNEX-Mobile-Crane-Truck-v4/In PDF document text
    • https://forums.iboats.com/forum/engine-repair-and-maintenance/mercury-mariner-outboards/364263-trigger-and-stator-difference-and-how-to-testIn PDF document text
    • https://forums.iboats.com/forum/engine-repair-and-maintenance/mercury-mariner-outboardsIn PDF document text
    • http://www.crosswordsolver.org/clues/0/empty.291901In PDF document text
    • https://www.osha.gov/Publications/OSHA3252/3252.htmlIn PDF document text
    • https://en.wikipedia.org/wiki/LanguageIn PDF document text
    • https://abcnews.go.com/internationalIn PDF document text
    • https://www.google.com.au/In PDF document text
    • https://www.travelers.com/home-insuranceIn PDF document text
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409In PDF document text
    • https://go.microsoft.com/fwlink/?linkid=868922In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=617297In PDF document text
    +2 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005160.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5160 10384 bytes
SHA-256: db110ed28d4bc17b8aeec9fde1ddebd1527a009472806029f2a5d035d3f41ca1
font_01_sfnt_off0000726e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x726E 7068 bytes
SHA-256: 9bef8d6df3f3c132158a5fc35289227f5d00569dfb2b8dc83330426152daf44f

Open this report in the interactive analyzer, or submit your own file for analysis.