Malicious PDF — malware analysis report

Static analysis result for SHA-256 3ebab9f6cb658945…

MALICIOUS

PDF

30.6 KB Created: 2018-06-11 09:49:40 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7)
MD5: cba7733627db24826f29758617a2fb87 SHA-1: a14e2ed8b82d1a26e5bf7623fff734aaaeba8315 SHA-256: 3ebab9f6cb658945f814516580683876f467bafcb4777867a3dd6a4a40b8359e
70 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1059 Command and Scripting Interpreter

The PDF file contains heuristics indicating it is a dropper, specifically detected by ClamAV as Pdf.Dropper.Agent-9094162-0. The document body and extracted URLs point to a lure, presenting a 'thermal physics charles kittel solution manual' and providing links to download PDFs from suspicious domains. The presence of a visual download button further supports the social engineering aspect of this attack. The primary intent appears to be tricking the user into downloading a malicious file disguised as a legitimate document.

Heuristics 4

  • ClamAV: Pdf.Dropper.Agent-9094162-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-9094162-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=thermal-physics-charles-kittel-solution-manual.pdf
    • http://uncpbisdegree.com/download4.php?q=thermal-physics-charles-kittel-solution-manual.pdf
    • http://burnscamp.org.uk/mazda-6-03-users-manual-.pdf
    • http://ipu.ac.in/syllabus/affiliated/syllbtech1yr.htm
    • http://sovietbooks.in/
    • http://ipu.ac.in/syllabus/affiliated/sybtecheee.htm
    • http://www.ideadiez.com/
    • http://riverside-resort.net/1/tales-for-a-winter-night-academy-mys.pdf
    • http://riverside-resort.net/1/starting-strong-surviving-and-thriving-as-a-new-teacher.pdf
    • http://riverside-resort.net/1/texas-real-estate-exam-study-guide.pdf
    • http://riverside-resort.net/1/spice-amp-wolf-book-5-isuna-hasekura.pdf
    • http://riverside-resort.net/1/the-insect-and-the-image-visualizing-nature-in-early-modern-europe-1500-1700.pdf
    • http://riverside-resort.net/1/ste-era-un-gato.pdf
    • http://riverside-resort.net/1/trump-immigration-ban.pdf
    • http://riverside-resort.net/1/uml-diagrams-ppt-presentation.pdf
    • http://riverside-resort.net/1/themen-aktuell-1-workbook.pdf
    • http://riverside-resort.net/1/sharp-dt-100-projectors-owners-manual.pdf
    • https://en.wikipedia.org/wiki/Semiconductor
    • https://en.wikipedia.org/wiki/Ionic_compound
    • https://www.onelook.com/pm/
    • http://go.microsoft.com/fwlink/?LinkID=617350
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409
    • https://go.microsoft.com/fwlink/?linkid=868922
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409
    • http://go.microsoft.com/fwlink/?LinkID=617297

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003d9e.bin
11f2ec80fc765b442429779bb71e1be2a35db6864f0309e6194fc5598c9dc029		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3D9E 10148 bytes
font_01_sfnt_off00005e0b.bin
87503161f01bd70fac747a9f2aeccbac110282ba82317d7646c4c6de21729798		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E0B 6920 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.