Malicious PDF — malware analysis report

Static analysis result for SHA-256 65b2f7a84095e6bc…

MALICIOUS

PDF

31.8 KB Created: 2018-06-11 08:41:03 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7)
MD5: aa9a84ff81f72c6a22f393531abff66f SHA-1: 0edcb6ce38cba1d338643f622e1cbf5a72c699cb SHA-256: 65b2f7a84095e6bc87111ae2fd530404116ea466704455cdcb61eb5c4ca45738
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file was identified as malicious by an ML classifier and contains heuristics indicating it is a fake download lure. The document body and embedded URLs point to a domain designed to trick users into downloading a file, likely a second-stage payload. The primary malicious URLs are http://uncpbisdegree.com/download3.php?q=studies-in-indology.pdf and http://uncpbisdegree.com/download4.php?q=studies-in-indology.pdf.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9202

Heuristics 4

  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=studies-in-indology.pdf
    • http://uncpbisdegree.com/download4.php?q=studies-in-indology.pdf
    • http://archaeologyonline.net/
    • https://mlbd.com/
    • http://www.bvbdelhi.org/
    • http://hoshiarpur.nic.in/html/education.htm
    • http://www.blindology.co.uk/
    • http://shodhganga.inflibnet.ac.in/community-list
    • http://www.vifindia.org/reports
    • http://www.academic-genealogy.com/ancestorrootsinformationdatabases.htm
    • http://www.agamaacademy.org/digital-library-en.php
    • http://uncpbisdegree.com/1/sony-alpha-350-guide.pdf
    • http://riverside-resort.net/1/world-history-reteaching-activity-answers.pdf
    • http://riverside-resort.net/1/where-did-asians-come-from.pdf
    • http://riverside-resort.net/1/wealth-forever.pdf
    • http://riverside-resort.net/1/warrior-leveling-guide-6-0.pdf
    • http://uncpbisdegree.com/1/september-mathematics-paper-1-2018-grade-12-mpumalanga.pdf
    • http://uncpbisdegree.com/1/study-guide-for-middle-school-english-praxis.pdf
    • http://uncpbisdegree.com/1/the-doris-day-vintage-film-club-a-hilarious-feel-good-holiday-read.pdf
    • http://uncpbisdegree.com/1/the-chronological-encyclopedia-of-discoveries-in-space.pdf
    • http://riverside-resort.net/1/vauxhall-zafira-repair-manual.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://en.wikipedia.org/wiki/Indology
    • https://en.wikipedia.org/wiki/Sinology
    • https://www.uni-heidelberg.de/courses/prospective/academicprograms/index.html
    • http://www.uni-heidelberg.de/index_e.html
    • http://www.uni-heidelberg.de/courses/
    • https://www.universityadmissions.se/
    • http://www.sanskrit-lexicon.uni-koeln.de/
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409
    • https://go.microsoft.com/fwlink/?linkid=868922
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409
    • http://go.microsoft.com/fwlink/?LinkID=617297
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004149.bin
1092cfe2a840df975923c3fe3f76180358a843a55be65e768cf5ef0c7237b520		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4149 10512 bytes
font_01_sfnt_off000062a1.bin
d24bc219783847c51b1e8f438810de0fc5a38f83ce4d1a2413d4705396d4794b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62A1 6856 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.