Malicious PDF — malware analysis report

Static analysis result for SHA-256 86a23ad890b3734e…

MALICIOUS

PDF

27.3 KB Created: 2018-06-11 09:36:04 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7) First seen: 2020-08-25
MD5: d06d36343f11670b8152c2be83315098 SHA-1: fd2c158889dd83440c154aa11f5cc0fba2178e53 SHA-256: 86a23ad890b3734e86aea9ac17448e5af1f38dd2b98da6d094b68f4536486593
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous embedded URLs and a "fake download" heuristic firing, indicating it's designed to trick users into downloading potentially malicious content. The document body and heuristics suggest a SEO poisoning lure, using keywords like "suzuki dsp125 repair manual" to attract victims. While no scripts were directly extracted, the nature of the embedded links and the ML classifier's high confidence suggest a malicious intent to redirect users to harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9664

Heuristics 4

  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARM
    PDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=suzuki-dsp125-repair-manual.pdf In PDF document text
    • http://uncpbisdegree.com/download4.php?q=suzuki-dsp125-repair-manual.pdfIn PDF document text
    • http://www.megalawbooks.com/reference-guide-for-electrical-formulas.pdfIn PDF document text
    • http://riverside-resort.net/1/september-2018-physics-paper-1-limpopo.pdfIn PDF document text
    • http://riverside-resort.net/1/special-education-helping-children-with-attention-problems.pdfIn PDF document text
    • http://riverside-resort.net/1/the-seven-secrets-of-how-to-think-like-a-rocket-scientist.pdfIn PDF document text
    • http://riverside-resort.net/1/sherlock-holmes-his-last-bow-reprint.pdfIn PDF document text
    • http://riverside-resort.net/1/tahoe-has-police-wiring.pdfIn PDF document text
    • http://riverside-resort.net/1/the-rough-guide-to-europe-on-a-budget.pdfIn PDF document text
    • http://riverside-resort.net/1/solutions-for-company-accounting-leo-hoggett.pdfIn PDF document text
    • http://riverside-resort.net/1/toshiba-e-studio-281c-manual.pdfIn PDF document text
    • http://riverside-resort.net/1/the-world-according-to-kaley.pdfIn PDF document text
    • http://riverside-resort.net/1/study-guide-nocti-pre-engineering.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409In PDF document text
    • https://go.microsoft.com/fwlink/?linkid=868922In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=617297In PDF document text
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003188.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3188 9884 bytes
SHA-256: f488378c4bcd326d181c270d12d482d758730c1e333f4b776ecb63ca2508b76e
font_01_sfnt_off000050f2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x50F2 7300 bytes
SHA-256: e0b65bcb183ea3ced2b50a58a678b5b143ab19caa026b11a18eaf54c33aab3d4