Malicious PDF — malware analysis report

Static analysis result for SHA-256 33a23f1ff68f1451…

MALICIOUS

PDF

39.6 KB Created: 2018-06-11 08:54:10 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7) First seen: 2020-09-24
MD5: 032d62f7b9e59e21b95bc8ff80bbc33a SHA-1: aa4f9051c741a34fe0451c070c4514b8fa4d6b9e SHA-256: 33a23f1ff68f1451151799ba0f7bd4c184b90efb8853ffe6e20c9e0c566a16b3
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF contains embedded URLs pointing to a domain associated with malicious downloads, disguised as a financial analysis report. The ML classifier also flagged this PDF as malicious. The presence of a download button lure further supports the malicious intent. The document body itself contains obfuscated text and repeated URLs, reinforcing the download lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7209

Heuristics 4

  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARM
    PDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=the-analysis-of-structured-securities-precise-risk-measurement-and-capital-allocation.pdf In PDF document text
    • http://uncpbisdegree.com/download4.php?q=the-analysis-of-structured-securities-precise-risk-measurement-and-capital-allocation.pdfIn PDF document text
    • http://www.econterms.com/econtent.htmlIn PDF document text
    • https://quantnet.com/threads/master-reading-list-for-quants-mfe-financial-engineering-students.535/In PDF document text
    • https://quantnet.com/courses/In PDF document text
    • https://quantnet.com/forum/In PDF document text
    • https://quantnet.com/forum/#quant-education.21In PDF document text
    • https://quantnet.com/forum/books.37/In PDF document text
    • http://www.scielo.org.za/scielo.php?script=sci_arttext&pid=S2222-34362013000400001In PDF document text
    • http://library.aacei.org/terminology/In PDF document text
    • http://www.farmingdale.edu/courses/course-listing.shtmlIn PDF document text
    • https://www.justfacts.com/taxes.aspIn PDF document text
    • http://www.icbc-ltd.com/icbcltd/aboutIn PDF document text
    • http://knosof.co.uk/ESEUR-references.htmlIn PDF document text
    • http://www.thepensionsregulator.gov.uk/codes/code-related-internal-controls.aspxIn PDF document text
    • https://www.trifields.jp/statistical-analysis-r-cran-packages-341In PDF document text
    • http://www.leg.state.fl.us/statutes/index.cfm?App_mode=Display_Statute&URL=0100-0199/0112/0112.htmlIn PDF document text
    • http://riverside-resort.net/1/xt225-service-manual.pdfIn PDF document text
    • http://uncpbisdegree.com/1/the-complete-tawny-man-trilogy-fools-errand-golden-fool-fate-kindle-edition-robin-hobb.pdfIn PDF document text
    • http://riverside-resort.net/1/vw-golf-mk3-owners-manual.pdfIn PDF document text
    • http://uncpbisdegree.com/1/sony-vgn-sz780n-laptops-owners-manual.pdfIn PDF document text
    • http://uncpbisdegree.com/1/suzuki-df50-4-stroke-outboard-manual-2015.pdfIn PDF document text
    • http://riverside-resort.net/1/what-is-olive-oil-made-of.pdfIn PDF document text
    • http://riverside-resort.net/1/wiring-diagram-for-a-1996-dodge-2500-radio.pdfIn PDF document text
    • http://riverside-resort.net/1/what-is-a-research-question-definition.pdfIn PDF document text
    • http://uncpbisdegree.com/1/south-wind.pdfIn PDF document text
    • http://riverside-resort.net/1/working-with-english-strategies-for-communication-in-southern-africa-book-1.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://en.wikipedia.org/wiki/RiskIn PDF document text
    • https://www.capterra.com/financial-risk-management-software/In PDF document text
    • https://www.sec.gov/interps/account/sabcodet5.htmIn PDF document text
    • http://home.ubalt.edu/ntsbarsh/stat-data/Forecast.htmIn PDF document text
    • https://www.fdic.gov/regulations/laws/rules/2000-7200.htmlIn PDF document text
    • https://www.fdic.gov/regulations/In PDF document text
    • https://www.fdic.gov/regulations/laws/In PDF document text
    • http://dx.doi.org/In PDF document text
    • http://codes.ohio.gov/oac/3901-3In PDF document text
    • http://www.berkshirehathaway.com/letters/1984.htmlIn PDF document text
    • https://www.bloomberg.com/markets/stocksIn PDF document text
    • https://www.scribd.com/document/77527656/Strategic-Management-complete-NotesIn PDF document text
    • http://home.ubalt.edu/ntsbarsh/opre640/opre640.htmIn PDF document text
    • http://ualr.edu/catalogs/undergraduate-catalog/course-codes/In PDF document text
    • https://www.uni-lj.si/study/eng/subjects/In PDF document text
    • http://www.academia.edu/8508827/Accounting_Interview_Questions_And_Answers_GuideIn PDF document text
    • https://medium.com/@yegg/mental-models-i-find-repeatedly-useful-936f1cc405dIn PDF document text
    • http://exploredegrees.stanford.edu/schooloflaw/In PDF document text
    • http://www.microsofttranslator.com/bv.aspx?ref=SERP&br=ro&mkt=en-US&dl=en&lp=JA_EN&a=https%3a%2f%2fwww.trifields.jp%2fstatistical-analysis-r-cran-packages-341In PDF document text
    • https://www.everycrsreport.com/all-reports.htmlIn PDF document text
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409In PDF document text
    +5 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005bfc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5BFC 11240 bytes
SHA-256: cacdb0de9c0bed8220667eec88bf7829545fc96d4df7d5e8fcb92447f8bbd895
font_01_sfnt_off00007f7e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7F7E 6920 bytes
SHA-256: 6cb263b9093a250b4954d222b3eadc8f75d6b0f68790727fa90cda23ac188482