Malicious PDF — malware analysis report

Static analysis result for SHA-256 697ad666a33f2165…

MALICIOUS

PDF

35.9 KB Created: 2018-06-11 08:57:58 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7)
MD5: 2a00376f0d7ac37c4243c090ab666a05 SHA-1: 2ecec55def1ed5c4c1d465dd76b92fa32ce0a156 SHA-256: 697ad666a33f2165e63c3ffe3f38f80347a04c7d7f4700062303e3fc7f77e2a1
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by a machine learning classifier and contains heuristics indicating it is a fake download lure. The document body and heuristics point to external URLs that are likely used to serve a malicious payload. The primary attack vector appears to be tricking the user into clicking a link that initiates a download.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8839

Heuristics 4

  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=then-again.pdf
    • http://uncpbisdegree.com/download4.php?q=then-again.pdf
    • http://bookagain.com/
    • http://badservicesa.com/
    • http://www.scassoc.net/
    • http://www.wear-earrings-again.com/index.html
    • http://www.meanbitches.com/
    • http://www.depilexonline.com/
    • https://view.flipdocs.com/?ID=10006519_979691
    • http://indiqube.com/
    • http://www.mikesgonefishing.com/
    • http://www.holistic-hypothyroidism-solutions.com/reverse-t3.html
    • http://www.iowajobs.org/
    • http://www.midsouthwrestling.com/photos-then.html
    • http://www.backandneck.ca/back-pain-and-nausea-when-back-pain-is-a-sign-of-a-different-problem/
    • http://stagingyourcomeback.com/
    • http://riverside-resort.net/1/the-open-field-system-and-beyond-a-property-rights-analysis-of-an-economic-institution.pdf
    • http://riverside-resort.net/1/turbo-hydra-matic-400-automatic-transmission-repair-manual.pdf
    • http://riverside-resort.net/1/songs-to-africa-cries-sighs-of-an-african-woman.pdf
    • http://riverside-resort.net/1/the-chemical-history-of-color.pdf
    • http://riverside-resort.net/1/the-story-of-snow-the-science-of-winter-apos-s-wonder.pdf
    • http://riverside-resort.net/1/softball-try-out-evaluation-form.pdf
    • http://riverside-resort.net/1/the-last-things-biblical-and-theological-perspectives-on-eschatology.pdf
    • http://riverside-resort.net/1/stripped-clean-down-to-nothing-but-the-cross-simply-for-students.pdf
    • http://riverside-resort.net/1/under-milk-wood-dylan-thomas.pdf
    • http://riverside-resort.net/1/toyota-5k-engine-manual-vakum.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://www.twitch.tv/summit1g
    • https://www.foxsports.com/arizona/video
    • https://www.nytimes.com/2017/05/12/opinion/sunday/if-liberals-hate-him-then-trump-must-be-doing-something-right.html
    • http://www.rochester.edu/news/show.php?id=4622
    • http://www.wordreference.com/es/translation.asp?tranword=timber
    • http://www.wordreference.com/enfr/then
    • http://www.microsofttranslator.com/bv.aspx?ref=SERP&br=ro&mkt=en-US&dl=en&lp=FR_EN&a=http%3a%2f%2fwww.wordreference.com%2fenfr%2fthen
    • http://homestarrunner.com/sbemail58.html
    • http://www.slate.com/articles/news_and_politics/foreigners/2015/09/why_drivers_in_china_intentionally_kill_the_pedestrians_they_hit_china_s.html
    • https://www.biblegateway.com/passage/?search=Matthew+4&version=NIV
    • https://www.washingtonpost.com/news/acts-of-faith/wp/2017/09/17/the-world-as-we-know-it-is-about-to-end-again-if-you-believe-this-biblical-doomsday-claim/
    • https://www.nytimes.com/interactive/2017/business/energy-environment/oil-prices.html
    • https://support.microsoft.com/en-us/help/2608523/how-to-clean-a-corrupted-silverlight-installation-and-then-reinstall-s
    • http://quizstar.4teachers.org/indexs.jsp
    • http://www.newadvent.org/cathen/02498d.htm
    • http://www.newadvent.org/cathen
    • http://www.newadvent.org/cathen/b.htm
    • http://www.spanishdict.com/translate/el
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409
    • https://go.microsoft.com/fwlink/?linkid=868922
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409
    +2 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005257.bin
db0128f99f47065b58152db4479f622aae130a270e36cb04cf1de7d9e0d940fe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5257 9952 bytes
font_01_sfnt_off0000720e.bin
1575b4461c903a082003234f53f7e7a0f3a62eaf70dd0c1c4d23fc064e4cd3d1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x720E 6620 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.