PDF malware analysis — malicious · 8391efac93d57183

MALICIOUS

PDF

37.2 KB Created: 2018-06-11 09:20:55 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7)

MD5: d9902775e43ca9e3ad6ca089e7a15f64 SHA-1: 0b70e214d685466dd610782e910484222b2fcd03 SHA-256: 8391efac93d57183662dddf576f811a66d1c74c9a685abd90eb9f3683359a6da

102 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains heuristics indicating it is a fake 'free download' SEO-poisoning document. The embedded URLs, specifically http://uncpbisdegree.com/download3.php?q=when-love-turns-to-hate.pdf, are associated with malicious activity. The document body also contains these URLs, reinforcing the lure to download a file from a suspicious domain.

Machine Learning

Nyx PDF Classifier malicious score 0.8839

Heuristics 4

Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD

The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://uncpbisdegree.com/download3.php?q=when-love-turns-to-hate.pdf
- http://uncpbisdegree.com/download4.php?q=when-love-turns-to-hate.pdf
- https://redeeminggod.com/love-the-sinner-hate-the-sin/
- http://imaginacres.com/love-hate-angora-rabbit/
- https://www.truelovescam.com/sociopaths-hate-us/
- http://www.vagabondish.com/love-hate-being-american/
- https://positively.com/contributors/digging-chewing-chasing-barking-instinctive-drives-you-love-or-hate/
- http://www.biofuelsdigest.com/bdigest/2010/05/24/methanol-biofuel-to-love-or-hate/
- http://www.afterpsychotherapy.com/love-and-hatred/
- http://agniveer.com/hate-zakir/
- http://uncpbisdegree.com/1/tuvalu-business-intelligence-report.pdf
- http://uncpbisdegree.com/1/the-new-oxford-annotated-bible-new-revised-standard-version-college-edition-4th-edition.pdf
- http://uncpbisdegree.com/1/the-syntax-of-welsh-a-transformational-study-of-the-passive.pdf
- http://uncpbisdegree.com/1/volvo-v40-user-manual-download.pdf
- http://uncpbisdegree.com/1/toyota-fx-gt-wiring-diagram-1989.pdf
- http://uncpbisdegree.com/1/the-supermodel-and-the-brillo-box.pdf
- http://uncpbisdegree.com/1/the-sage-handbook-of-public-relations.pdf
- http://uncpbisdegree.com/1/university-of-maryland-doctors.pdf
- http://uncpbisdegree.com/1/the-political-economy-of-stalinism-evidence-from-the-soviet-secret-archives.pdf
- http://uncpbisdegree.com/1/yamaha-dt50-and-80-trail-bikes-owners-workshop-manual-haynes-owners-workshop-manuals.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.espn.com/soccer/blog/the-toe-poke/65/post/2247212/cristiano-ronaldo-33-reasons-to-love-or-hate-him
- http://dailycaller.com/2018/02/06/sarah-sanders-democrats-hate-trump-love-this-country/
- https://en.wikipedia.org/wiki/List_of_Love/Hate_episodes
- http://theweek.com/articles/745681/hate-love-lucy
- http://tvtropes.org/pmwiki/pmwiki.php/Main/LoveItOrHateIt
- https://www.jpost.com/International/Prof-Stephen-Hawkings-love-hate-relationship-with-Israel-545123
- https://www.forbes.com/sites/davidphelan/2017/12/10/apple-iphone-x-the-mid-term-review-ten-things-to-love-or-hate/
- http://forums.whirlpool.net.au/archive/2442375
- http://forums.whirlpool.net.au/forum/106
- https://www.gq.com/story/baseball-dates
- https://www.netflix.com/title/80026506
- https://www.nytimes.com/2018/04/18/movies/godard-mon-amour-review.html
- http://www.breitbart.com/big-government/2018/02/15/donald-trump-florida-school-shooting/
- http://indianexpress.com/article/research/muhammad-ali-jinnah-aligarh-muslim-university-hindu-yuva-vahini-amu-a-love-hate-relationship-5163066/
- http://indianexpress.com/section/research/
- http://www.dailymail.co.uk/sciencetech/article-4860116/Why-love-hate-Marmite-genes.html
- https://www.amazon.com/Myth-Nice-Girl-Achieving-Becoming/dp/1328832953
- https://www.amazon.com/books-used-books-textbooks/b?ie=UTF8&node=283155
- https://www.amazon.com/Business-Money-Investing-Books/b?ie=UTF8&node=3
- https://www.amazon.com/Personal-Finance-Business-Investing-Books/b?ie=UTF8&node=2717
- http://www.dailymail.co.uk/femail/article-1220782/Why-men-love-beards-women-hate-them.html
- http://www.vulture.com/2018/03/love-after-love-review.html
- http://www.latimes.com/books/jacketcopy/la-ca-jc-hate-u-give-20170602-story.html
- https://www.usmagazine.com/stylish-2/
- https://www.facebook.com/bancomicsansdotcom
- https://www.thefreedictionary.com/love
- http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409
- http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409
+4 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000559c.bin` `43aba55d161044175aca810b3c8a45e869f94bdf183057cfd20d408dead1e8cd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x559C	10300 bytes
`font_01_sfnt_off0000765e.bin` `a4f097ed4ac1e64493016fe0022201164e435891540d276ce232436facbead9a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x765E	6788 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.