Malicious PDF — malware analysis report

Static analysis result for SHA-256 40be5ad6bc48fe0d…

MALICIOUS

PDF

52.5 KB Created: 2018-06-11 08:21:53 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7) First seen: 2020-09-24
MD5: 0681717b5d24d833993feb286d2b6e68 SHA-1: 0fc6518d7d5e8c702ed9eaaeccf70ee3f02d681e SHA-256: 40be5ad6bc48fe0d08533f10196fcca49b39bad9284c0511c67a9d646a2ee7d6
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains embedded URLs and document body text that mimic a search result or download link for operating systems solutions manuals. The heuristic 'PDF_URI' and 'EMBEDDED_URL' firings indicate external links, with 'uncpbisdegree.com' being a primary suspicious domain. The ML classifier also flagged the PDF as malicious. The overall goal appears to be social engineering the user into downloading a potentially malicious PDF from a suspicious domain.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6265

Heuristics 4

  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARM
    PDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=solutions-to-operating-systems.pdf In PDF document text
    • http://uncpbisdegree.com/download4.php?q=solutions-to-operating-systems.pdfIn PDF document text
    • http://www.nylxs.com/docs/Operating_System_Concepts_7th_edtion_Solution_Manual.pdfIn PDF document text
    • http://comsizo.com.br/resolucoes/SistemasOperacionais_-_Tanenbaum_-_3Ed_Solution.pdfIn PDF document text
    • http://bht-tour.com/online/solutions-to-operating-systems.pdfIn PDF document text
    • http://ikmann.de/solution/to/solution_to_operating_systems.pdfIn PDF document text
    • https://www.examcollection.com/certification-training/a-plus-how-to-troubleshoot-operating-system-problems-and-tools-used.htmlIn PDF document text
    • http://uncpbisdegree.com/1/shadows-in-the-sun-travels-to-landscapes-of-spirit-and-desire-wade-davis.pdfIn PDF document text
    • http://riverside-resort.net/1/world-war-ii-an-encyclopedia-of-quotations.pdfIn PDF document text
    • http://uncpbisdegree.com/1/the-doppler-affect.pdfIn PDF document text
    • http://riverside-resort.net/1/wheelie-girl.pdfIn PDF document text
    • http://riverside-resort.net/1/wiring-diagram-for-88-monte-carlo.pdfIn PDF document text
    • http://riverside-resort.net/1/what-building-materials-contain-asbestos.pdfIn PDF document text
    • http://riverside-resort.net/1/why-did-the-ice-age-end.pdfIn PDF document text
    • http://riverside-resort.net/1/workbook-2-meet-your-customers-needs.pdfIn PDF document text
    • http://uncpbisdegree.com/1/the-end-of-education-redefining-the-value-of-school.pdfIn PDF document text
    • http://uncpbisdegree.com/1/service-manual-ford-mondeo-2005.pdfIn PDF document text
    • https://www.examcollection.com/certification-training/a-plus-howIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://codex.cs.yale.edu/avi/os-book/OS9/practice-exer-dir/index.htmlIn PDF document text
    • https://www.partitionwizard.com/partitionmagic/missing-operating-system.htmlIn PDF document text
    • https://www.partitionwizard.com/partitionmagic/In PDF document text
    • https://hostway.com/products-services/operating-systems/In PDF document text
    • http://www.chegg.com/homework-help/operating-system-concepts-9th-edition-solutions-9781118063330In PDF document text
    • http://www.toptenreviews.com/software/articles/5-common-computer-problems-solutions/In PDF document text
    • https://www.pcworld.com/article/2047667/how-to-solve-the-10-most-common-tech-support-problems-yourself.htmlIn PDF document text
    • https://www.pcworld.com/category/computers/In PDF document text
    • http://www.csl.mtu.edu/cs4411.ck/www/EXAMS/EXAM1/sol-1-2010.pdfIn PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=617350In PDF document text
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409In PDF document text
    • https://go.microsoft.com/fwlink/?linkid=868922In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=617297In PDF document text
    • https://hostway.com/products-services/operating-systemsIn PDF document text
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007dd2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7DD2 14472 bytes
SHA-256: 0fc71806604784070349b6a060614cc0eb318e7a2b82a7974f0ffef2e2bf01be
font_01_sfnt_off0000aa6a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xAA6A 9732 bytes
SHA-256: 84a257fc4eefff63f54d56100baf9e8579a9be2a6925f2893f8f347b67099a1a