Malicious PDF — malware analysis report

Static analysis result for SHA-256 57555058108e00e0…

MALICIOUS

PDF

37.1 KB Created: 2018-06-11 08:28:14 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7) First seen: 2021-10-26
MD5: ecf3d8178dae1332e3d356d49150a6e7 SHA-1: 59a447a6a6f3ff267d4fd476c27ec2018fd3731f SHA-256: 57555058108e00e09f5bb220de4ff096e689871884adc72aee86182451d8916c
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged by a machine learning classifier and heuristics indicate it is a fake download page designed for SEO poisoning. The document body contains URLs that lead to a download page, suggesting the intent is to trick the user into downloading a malicious file disguised as an educational resource. The primary malicious URLs are http://uncpbisdegree.com/download3.php?q=toddlers-moving-and-learning-a-physical-education-curriculum.pdf and http://uncpbisdegree.com/download4.php?q=toddlers-moving-and-learning-a-physical-education-curriculum.pdf.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8839

Heuristics 4

  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=toddlers-moving-and-learning-a-physical-education-curriculum.pdf PDF link annotation
    • http://uncpbisdegree.com/download4.php?q=toddlers-moving-and-learning-a-physical-education-curriculum.pdfIn PDF document text
    • https://hilltopmontessori.com/In PDF document text
    • https://www.notimeforflashcards.com/In PDF document text
    • http://www.earlychildhoodnews.com/earlychildhood/article_view.aspx?ArticleId=360In PDF document text
    • http://www.hlafrisco.com/2013homeIn PDF document text
    • http://theeducatingparent.com/sitemap.htmlIn PDF document text
    • https://tewhariki.tki.org.nz/en/principles-strands-goals-and-learning-outcomes/In PDF document text
    • https://www.papermasters.com/education_research_papers.htmlIn PDF document text
    • https://www.papermasters.com/research-paper-topics.htmlIn PDF document text
    • http://www.tsbvi.edu/publicationsIn PDF document text
    • http://www.child-encyclopedia.com/play/according-experts/curriculum-and-play-early-child-developmentIn PDF document text
    • http://www.under-fives.org/activity.htmlIn PDF document text
    • http://www.cdrcp.com/professional-educationIn PDF document text
    • http://www.pps.net/In PDF document text
    • http://www.amblesideonline.org/FAQ.shtmlIn PDF document text
    • http://www.ldonline.org/article/6036In PDF document text
    • http://www.ldonline.org/article/indepthIn PDF document text
    • http://www.ldonline.org/article/c678/In PDF document text
    • http://files.acecqa.gov.au/files/National-Quality-Framework-Resources-Kit/belonging_being_and_becoming_the_early_years_learning_framework_for_australia.rtfIn PDF document text
    • http://www.worcesterk12.org/In PDF document text
    • http://www.ourkids.net/montessori-schools.phpIn PDF document text
    • http://www.hdesd.org/In PDF document text
    • http://www.kidslegal.org/special-education-languageIn PDF document text
    • http://insource.org/files/pages/0086-ParentIn PDF document text
    • http://riverside-resort.net/1/service-manual-2003-acura-3-2-tl.pdfIn PDF document text
    • http://riverside-resort.net/1/t300-key-programmer-user-manual.pdfIn PDF document text
    • http://riverside-resort.net/1/ssc-board-pune-result-date-2018.pdfIn PDF document text
    • http://riverside-resort.net/1/the-way-of-master-ray-comfort.pdfIn PDF document text
    • http://riverside-resort.net/1/sociology-review-answers.pdfIn PDF document text
    • http://riverside-resort.net/1/social-science-history-7-ratna-sagar.pdfIn PDF document text
    • http://riverside-resort.net/1/toefl-writing-twe-answers.pdfIn PDF document text
    • http://riverside-resort.net/1/the-reunion-a-chance-to-heal-the-past-a-weekend-theyd-never-forget.pdfIn PDF document text
    • http://riverside-resort.net/1/the-dysphagia-cookbook.pdfIn PDF document text
    • http://riverside-resort.net/1/skywalker-highs-and-lows-on-the-pacific-crest-trail-kindle-edition-bill-walker.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://www.brighthorizons.com/programs/toddler-careIn PDF document text
    • http://www.maine.gov/earlylearning/standards/infantsandtoddlersguidelines.pdfIn PDF document text
    • https://www.zerotothree.org/resources/1514-beyond-twinkle-twinkle-using-music-with-infants-and-toddlersIn PDF document text
    • https://www.education.com/reference/article/importance-motor-skills/In PDF document text
    • https://www.education.com/articles/The+Importance+of+Motor+Skills/In PDF document text
    • http://ecrp.uiuc.edu/beyond/seed/worth.htmlIn PDF document text
    • http://raisingchildren.net.au/articles/learning_maths_at_school.htmlIn PDF document text
    • http://raisingchildren.net.au/school_learning/school_age_school_learning.htmlIn PDF document text
    • http://raisingchildren.net.au/learning_ideas/school_age_learning_ideas.htmlIn PDF document text
    • https://www.nytimes.com/2010/09/19/magazine/19video-t.htmlIn PDF document text
    • http://montgomeryschoolsmd.org/departments/special-education/programs-services/behavior-and-emotional-support.aspxIn PDF document text
    • http://www.educationworld.com/a_tech/archives/tools.shtmlIn PDF document text
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409In PDF document text
    +5 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005578.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5578 9976 bytes
SHA-256: 9fae55c878108cd8c2a145b8ca895ab0ede65473aa9073620f2b1b06ca308529
font_01_sfnt_off0000754b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x754B 7172 bytes
SHA-256: a419b573d768baeea47231d188392d192ccc2e4610e0c8a20b73774193398564