Malicious PDF — malware analysis report

Static analysis result for SHA-256 6d699b7f3b0c2ba1…

MALICIOUS

PDF

36.0 KB Created: 2018-06-11 08:57:34 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7) First seen: 2020-12-25
MD5: 4ee548599821c5edec6ffed2ca60dd69 SHA-1: bcf47b6c800c2d1e318b950d52fceaeaf8ac5af8 SHA-256: 6d699b7f3b0c2ba1f0cff0dba4ac816f97414ffae91c87ed3d0cfbbb835cb66d
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

This PDF document employs SEO poisoning to trick users into downloading a malicious file. The critical heuristic 'PDF_SEO_FAKE_DOWNLOAD' indicates a fake download gateway, with the primary malicious URL being http://uncpbisdegree.com/download3.php?q=tommies-part-one-1914.pdf. The document body contains numerous URLs, likely to improve search engine ranking and disguise its malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9136

Heuristics 4

  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=tommies-part-one-1914.pdf PDF link annotation
    • http://uncpbisdegree.com/download4.php?q=tommies-part-one-1914.pdfIn PDF document text
    • http://www.worldwar1.com/heritage/angel.htmIn PDF document text
    • http://www.westernfrontassociation.com/In PDF document text
    • http://www.greatwar.co.uk/events/ww1-uk-events.htmIn PDF document text
    • http://someinterestingfacts.net/battle-of-amiens-1918/In PDF document text
    • http://www.history-of-american-wars.com/world-war-1-guns.htmlIn PDF document text
    • http://www.ozebook.com/In PDF document text
    • http://www.greatnorthernpublishing.co.uk/great-war/gw-back-issues.htmlIn PDF document text
    • http://hinkydinky.net/what-about-that-song/In PDF document text
    • http://www.militariamart.com/index99.php?l=240In PDF document text
    • http://www.hitler.org/writings/Mein_Kampf/mkv1ch04.htmlIn PDF document text
    • http://www.toptenz.net/top-10-british-generals-1700-1945.phpIn PDF document text
    • http://www.worldwar1.com/dbc/smortar.htmIn PDF document text
    • http://www.firstworldwar.com/diaries/edwinjones.htmIn PDF document text
    • https://www.fany.org.uk/history/wwi/overviewIn PDF document text
    • https://worldwar2.org.uk/soldiers-world-war-2In PDF document text
    • http://www.hallfamilyname.com/index.htmlIn PDF document text
    • http://www.psywarrior.com/V1RocketLeaf.htmlIn PDF document text
    • http://riverside-resort.net/1/ssd-army-writing-style-answers.pdfIn PDF document text
    • http://riverside-resort.net/1/the-longer-bodies.pdfIn PDF document text
    • http://riverside-resort.net/1/the-mad-ones-crazy-joe-gallo-and-revolution-at-edge-of-underworld-tom-folsom.pdfIn PDF document text
    • http://riverside-resort.net/1/standing-up-to-the-madness-ordinary-heroes-in-extraordinary-times-amy-goodman.pdfIn PDF document text
    • http://riverside-resort.net/1/solutions-manual-introduction-to-operations-research-hillier.pdfIn PDF document text
    • http://riverside-resort.net/1/solution-manual-numerical-method-for-engineerss.pdfIn PDF document text
    • http://riverside-resort.net/1/the-dark-of-the-sun.pdfIn PDF document text
    • http://riverside-resort.net/1/theft-1992-corvette-wiring.pdfIn PDF document text
    • http://riverside-resort.net/1/small-wars-a-novel.pdfIn PDF document text
    • http://riverside-resort.net/1/so-you-want-to-be-a-talent-agent-everything-you.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://www.bbc.co.uk/programmes/p01nb93yIn PDF document text
    • https://en.wikipedia.org/wiki/Battle_of_MonsIn PDF document text
    • http://armyservicenumbers.blogspot.com/2009/04/lincolnshire-regiment-service.htmlIn PDF document text
    • https://en.wikipedia.org/wiki/Hundred_Days_OffensiveIn PDF document text
    • http://tvtropes.org/pmwiki/pmwiki.php/UsefulNotes/WorldWarIIn PDF document text
    • https://www.telegraph.co.uk/history/world-war-one/10383716/BBC-to-show-unseen-interviews-revealing-First-World-War-veterans-feelings.htmlIn PDF document text
    • http://www.dailymail.co.uk/sciencetech/article-3454568/The-truth-life-trenches-WWI-soldiers-spent-half-time-frontline-came-fire-five-days.htmlIn PDF document text
    • http://www.edp24.co.uk/topic/Organization/RoyalIn PDF document text
    • https://www.express.co.uk/life-style/life/789444/War-Horse-Memorial-Ascot-honour-First-World-War-heroesIn PDF document text
    • https://www.nytimes.com/2014/06/27/world/europe/world-war-i-brought-fundamental-changes-to-the-world.htmlIn PDF document text
    • http://spartacus-educational.com/FWWsomme.htmIn PDF document text
    • http://spartacus-educational.com/FWW.htmIn PDF document text
    • http://spartacus-educational.com/FWWbattles.htmIn PDF document text
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409In PDF document text
    • https://go.microsoft.com/fwlink/?linkid=868922In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=617297In PDF document text
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005050.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5050 10244 bytes
SHA-256: c902bc1fbacc2fc3a7119e1e4c35b19b6a8067b9abb4d63a8a31ca9d26b8d375
font_01_sfnt_off000070ff.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x70FF 7048 bytes
SHA-256: f60f28bbe0879fe9a6813335f8c87090cbe1d23f42fc04f0509ea0f3bfe0cba9

Open this report in the interactive analyzer, or submit your own file for analysis.