Malicious PDF — malware analysis report

Static analysis result for SHA-256 4b5dbfbf29b586b1…

MALICIOUS

PDF

36.6 KB Created: 2018-06-11 09:45:39 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7) First seen: 2020-08-10
MD5: 72050265c96e28beaced913a0436da54 SHA-1: 9d05ae27f8d3e5468bf36e3f554007c5e33c9f86 SHA-256: 4b5dbfbf29b586b1cb1c9da642af3d340cdf15147b5965a68635113018877fc2
130 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.8870

Heuristics 4

  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARM
    PDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=sony-nex-5r-manual-focus.pdf In PDF document text
    • http://uncpbisdegree.com/download4.php?q=sony-nex-5r-manual-focus.pdfIn PDF document text
    • http://sonyalphalab.com/product-review/sony-fe-90mm-f2-8-macro-g-oss-lens-review/In PDF document text
    • https://www.digicamdb.com/compare/sony_alpha-a5000-vs-canon_eos-7d/In PDF document text
    • http://www.metabones.com/products/details/MB_SPEF-E-BT2In PDF document text
    • http://friedmanarchives.com/ebooks/In PDF document text
    • http://www.metabones.com/products/details/MB_SPPL-E-BT1In PDF document text
    • http://www.zoomcamera.net/%E0%B8%82%E0%B9%88%E0%B8%B2%E0%B8%A7%E0%B8%81%E0%B8%A5%E0%B9%89%E0%B8%AD%E0%B8%87/Canon-announced-EOS-6D.htmlIn PDF document text
    • http://uncpbisdegree.com/1/special-triangles-worksheet-with-answers.pdfIn PDF document text
    • http://riverside-resort.net/1/vl-commodore-workshop-manual.pdfIn PDF document text
    • http://riverside-resort.net/1/unofficial-lego-builders-guide.pdfIn PDF document text
    • http://uncpbisdegree.com/1/sheep-heart-dissection-questions-answers.pdfIn PDF document text
    • http://uncpbisdegree.com/1/the-body-of-beatrice.pdfIn PDF document text
    • http://uncpbisdegree.com/1/the-eternal-flame-great-tree-of-avalon-3-ta-barron.pdfIn PDF document text
    • http://uncpbisdegree.com/1/structure-of-an-atom-worksheet-answer-key.pdfIn PDF document text
    • http://uncpbisdegree.com/1/short-test-9a-unit-9-answer-key.pdfIn PDF document text
    • http://riverside-resort.net/1/vertical-business-card-template-psd.pdfIn PDF document text
    • http://riverside-resort.net/1/vw-golf-mk1-light-wiring.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://www.manualslib.com/manual/875517/Sony-Alpha-Nex-5r.htmlIn PDF document text
    • https://www.manualslib.com/brand/sony/digital-camera.htmlIn PDF document text
    • https://www.manualslib.com/products/Sony-Alpha-Nex-5r-143795.htmlIn PDF document text
    • https://www.kenrockwell.com/sony/nex-5r.htmIn PDF document text
    • https://en.wikipedia.org/wiki/Sony_NEX-5In PDF document text
    • https://www.aliexpress.com/item/Meike-MK-S-35-1-7-35mm-f1-7-Large-Aperture-Manual-Focus-lens-APS-C/32827480650.htmlIn PDF document text
    • https://www.theverge.com/2012/12/17/3774752/sony-nex-5r-reviewIn PDF document text
    • https://en.wikipedia.org/wiki/Sony_E-mountIn PDF document text
    • https://www.cloudynights.com/topic/515277-sony-nex-3n-astrophotography/In PDF document text
    • https://www.cloudynights.com/forum/74-astrophotography-and-sketching/In PDF document text
    • https://www.kenrockwell.com/sony/18-55mm-oss.htmIn PDF document text
    • https://www.sony.com/all-electronicsIn PDF document text
    • https://www.aliexpress.com/item/MEIKE-MK-6-5mm-F2-0-E-Mount-Works-with-Sony-NEX-3-NEX-5-NEX/32809618280.htmlIn PDF document text
    • http://www.trustedreviews.com/reviews/sony-nex-6In PDF document text
    • http://www.trustedreviews.com/reviewsIn PDF document text
    • http://www.trustedreviews.com/reviews/digital-camerasIn PDF document text
    • https://www.amazon.com/Sony-Mirrorless-Digitial-3-0-Inch-16-50mm/dp/B00I8BICB2In PDF document text
    • https://www.amazon.com/Digital-Cameras/b?ie=UTF8&node=281052In PDF document text
    • https://www.amazon.com/Mirrorless-Cameras/b?ie=UTF8&node=3109924011In PDF document text
    • https://www.amazon.com/Sony-NEX-FS700-Sensor-Super35-Camcorder/dp/B00HWC8NCQIn PDF document text
    • https://www.amazon.com/Camera-Photo-Film-Canon-Sony/b?ie=UTF8&node=502394In PDF document text
    • https://www.amazon.com/Video-Equipment/b?ie=UTF8&node=7161073011In PDF document text
    • https://www.amazon.com/Camcorders-Camera-Photo/b?ie=UTF8&node=172421In PDF document text
    • https://www.dpreview.com/articles/4383452250/a6300-versus-a6500In PDF document text
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409In PDF document text
    • https://go.microsoft.com/fwlink/?linkid=868922In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=617297In PDF document text
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000051e8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x51E8 10716 bytes
SHA-256: 4b85a099aaa9c4ca0604615225ac367e234e7713cf324cf1cb971121887468b2
font_01_sfnt_off000073c2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x73C2 7072 bytes
SHA-256: c5c9986d7caaba933b40725c150d52541cfbc1a7849d27c9034f98aedfc69166

Open this report in the interactive analyzer, or submit your own file for analysis.