Malicious PDF — malware analysis report

Static analysis result for SHA-256 499cdd8811257017…

MALICIOUS

PDF

29.5 KB Created: 2018-06-11 09:50:56 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7) First seen: 2020-08-10
MD5: a9583208dd78735a3777c930337cabac SHA-1: 714e99df92648860c8222040ac86edf3d3ede2bd SHA-256: 499cdd88112570177690547b702168b83ee75ddaa593b5c1615472605445ed97
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains multiple embedded URLs, with a primary focus on 'uncpbisdegree.com', suggesting a lure to download further content. The ML classifier flagged this PDF as malicious with high confidence. The document body text and heuristics indicate a social engineering attempt to trick users into downloading a file presented as educational material.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9677

Heuristics 4

  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARM
    PDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=show-2018-november-question-paper-for-grade11.pdf In PDF document text
    • http://uncpbisdegree.com/download4.php?q=show-2018-november-question-paper-for-grade11.pdfIn PDF document text
    • http://correctionalserviceslearnership.com/In PDF document text
    • http://www.bakkah.net/en/islamic-university-madeenah-saudi-arabia.htmIn PDF document text
    • http://www.learnhive.net/blog/2012/12/everything-that-you-wanted-to-know-about-cbse-icse-igcse-and-other-international-syllabi/In PDF document text
    • http://uncpbisdegree.com/1/spica-fuel-injection-diagram.pdfIn PDF document text
    • http://uncpbisdegree.com/1/study-guide-for-content-mastery-groundwater.pdfIn PDF document text
    • http://uncpbisdegree.com/1/sony-xm-3001sxd-car-amplifiers-owners-manual.pdfIn PDF document text
    • http://riverside-resort.net/1/where-am-i-my-world.pdfIn PDF document text
    • http://uncpbisdegree.com/1/suzuki-30-hp-outboard-parts.pdfIn PDF document text
    • http://riverside-resort.net/1/when-was-asbestos-first-discovered.pdfIn PDF document text
    • http://riverside-resort.net/1/using-light.pdfIn PDF document text
    • http://uncpbisdegree.com/1/speaker-wire-color-code-gm.pdfIn PDF document text
    • http://riverside-resort.net/1/volkswagen-20-tdi-self-study-program-document.pdfIn PDF document text
    • http://uncpbisdegree.com/1/solubility-rules-worksheet-with-answers.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409In PDF document text
    • https://go.microsoft.com/fwlink/?linkid=868922In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=617297In PDF document text
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000035c0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x35C0 10380 bytes
SHA-256: d799b940f09c9b77d87365b711888dbe1d1defb2cdf37aadd53176edc510cd38
font_01_sfnt_off000056c2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x56C2 8456 bytes
SHA-256: 53032a2d4fabd0346d7c93b8da5984b5d9aaaed683d23ad024344b8fb8c52083