Malicious PDF — malware analysis report

Static analysis result for SHA-256 5814ff784b1f9aa1…

MALICIOUS

PDF

28.3 KB Created: 2018-06-11 10:02:34 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7)
MD5: 772f2aba2142d80f5da55770351867c1 SHA-1: 7480354ca9158ffb39edea36d7ceb038dbf3f9ad SHA-256: 5814ff784b1f9aa1c3be29df856a7b752eeb3a94a8c36d79406031551b341216
68 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs, many of which point to suspicious domains like 'uncpbisdegree.com' and 'riverside-resort.net'. The 'PDF_SEO_LINK_FARM' heuristic indicates that these links are likely part of a scheme to trick users into downloading malicious content, possibly by disguising them as legitimate documents. The presence of a 'SE_DOWNLOAD_BUTTON' heuristic further supports the idea that the document is designed to prompt user interaction for downloading files. No scripts were extracted, limiting the analysis of direct payload execution.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=unizulu-richards-bay-campus-2018-prospectus.pdf
    • http://uncpbisdegree.com/download4.php?q=unizulu-richards-bay-campus-2018-prospectus.pdf
    • http://www.unizulu.ac.za/wp-content/uploads/2018/01/Faculty-of-Commerce-Admin-and-Law-Handbook-2018.compressed.pdf
    • http://riverside-resort.net/1/what-do-the-doctors-say-how-doctors-create-a-world-through-their-words.pdf
    • http://uncpbisdegree.com/1/snow-falling-on-cedars.pdf
    • http://riverside-resort.net/1/what-does-it-mean-to-have-a-manual-transmission.pdf
    • http://riverside-resort.net/1/wileyplus-accounting-homework-answers.pdf
    • http://uncpbisdegree.com/1/the-indus-valley-excavating-the-past.pdf
    • http://riverside-resort.net/1/waiting-for-the-lady-2003.pdf
    • http://uncpbisdegree.com/1/solution-manual-of-unit-operations-brown.pdf
    • http://riverside-resort.net/1/wings-of-chance.pdf
    • http://uncpbisdegree.com/1/she-can-hide-4-melinda-leigh.pdf
    • http://riverside-resort.net/1/when-was-asbestos-banned-in-us.pdf
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409
    • https://go.microsoft.com/fwlink/?linkid=868922
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409
    • http://go.microsoft.com/fwlink/?LinkID=617297

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000032ca.bin
5316c44e147f4920ccbbc8262e2886124af72b5d426054b3290789b9c59dddfb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x32CA 10132 bytes
font_01_sfnt_off0000530f.bin
d44b5458b059e0f18b1677f1005e702e7cce3a5028b4910fb16f97f4792c682b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x530F 7976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.