Malicious PDF — malware analysis report

Static analysis result for SHA-256 414f590bed99e4fb…

MALICIOUS

PDF

27.6 KB Created: 2018-06-11 09:13:13 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7) First seen: 2020-08-25
MD5: ecf4c2424e09106d01b6436374c84725 SHA-1: 25f6d0a8615512bd72c7bc39674138484906cca3 SHA-256: 414f590bed99e4fb1876aaf275a54f8d3a0443c6310d5d6c1c030243a4761f7f
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains multiple suspicious URLs, including one directly linked to a heuristic firing for an external URI. The ML classifier also flagged this PDF as malicious with high confidence. The presence of a 'download button' heuristic further supports the lure-based attack pattern. The document body, though garbled, contains references to the suspicious URLs, reinforcing the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9664

Heuristics 4

  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARM
    PDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=thermoguard-spectrum-auto-expeditor-forums.pdf In PDF document text
    • http://uncpbisdegree.com/download4.php?q=thermoguard-spectrum-auto-expeditor-forums.pdfIn PDF document text
    • http://riverside-resort.net/1/spanish-2-realidades-2a-final-exam.pdfIn PDF document text
    • http://riverside-resort.net/1/test-of-genius-2009-algebra-with-pizzazz-answers.pdfIn PDF document text
    • http://riverside-resort.net/1/the-dirty-game-uncovering-the-scandal-at-fifa.pdfIn PDF document text
    • http://riverside-resort.net/1/stars-suite-english-iv-answers.pdfIn PDF document text
    • http://riverside-resort.net/1/tecnik-tkl9260-manual.pdfIn PDF document text
    • http://riverside-resort.net/1/the-molecular-genetics-of-aging-1st-edition.pdfIn PDF document text
    • http://riverside-resort.net/1/the-history-psychology-and-pedagogy-of-geographic-literacy.pdfIn PDF document text
    • http://riverside-resort.net/1/the-7-habits-of-highly-effective-teenagers-personal-workbook-covey.pdfIn PDF document text
    • http://riverside-resort.net/1/st-helens-doctors.pdfIn PDF document text
    • http://riverside-resort.net/1/suzuki-dt-40-manual.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409In PDF document text
    • https://go.microsoft.com/fwlink/?linkid=868922In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=617297In PDF document text
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000031a4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x31A4 10492 bytes
SHA-256: 3b4167c6bfb8421dd4fc31203bbb1aacbcd9c63e44462f72ef7f6718b8c383d7
font_01_sfnt_off000052e9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x52E9 7152 bytes
SHA-256: 0ccb9bd8804b5c5343014b886e66bcc2c2e973d1940a6de9e85afc3b3a708379