Malicious PDF — malware analysis report

Static analysis result for SHA-256 8772e90c36b21c73…

MALICIOUS

PDF

33.3 KB Created: 2018-06-11 09:11:06 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7)
MD5: 0fa8c5311e56f96305885ccfc5a2a07f SHA-1: 0c834fa9cf55cc83596eff606d4374aa97f05eb4 SHA-256: 8772e90c36b21c734e67764b7a0ff8ca7ddb41f96c7ed13caf3ffb86903c00d4
110 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded links to external websites, with one URL specifically identified as a potential download source for a PDF. The heuristic 'SE_LOLBIN_RUN_COMMAND' indicates the presence of instructions for executing Windows scripting tools, suggesting a mechanism for further payload delivery or execution. The ClamAV detection further confirms the malicious nature of the file, classifying it as a 'Pdf.Dropper.Agent'. The document body's content about outdoor buildings appears to be a lure to entice users to click on the malicious links.

Heuristics 5

  • ClamAV: Pdf.Dropper.Agent-9645925-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-9645925-0
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=shed-chic-outdoor-buildings-for-work-rest-and-play.pdf
    • http://uncpbisdegree.com/download4.php?q=shed-chic-outdoor-buildings-for-work-rest-and-play.pdf
    • http://shedplanseasydiy.com/morgan-storage-shed=sg5333/
    • http://diygardenshedplansez.com/suncast-horizontal-storage-sheds=cg9243/
    • http://diygardenshedplansez.com/garden-sheds-uk-b-q=cg267/
    • http://shedplanseasydiy.com/costco.lifetime.horizontal.storage.shed/outdoor-storage-sheds-rubbermaid=ag5453/
    • http://ezshedplans.com/used.kids.bunk.beds.for.sale/acme.eclipse.twin.over.twin.metal.bunk.bed=pd4946/
    • http://www.girlgames.com/archive/
    • http://realestate.sandpoint.com/Residential.asp?CMD=ResSearch&AI=0
    • http://www.texarkanagazette.com/
    • https://www.trendir.com/small-wooden-homes-and-cottages/
    • http://hercanberra.com.au/food-drink/
    • http://www.resene.co.nz/homeown/use_colr/colour-tips.htm
    • http://www.realjewnews.com/?p=555
    • http://riverside-resort.net/1/vw-golf-3-light-wiring.pdf
    • http://uncpbisdegree.com/1/the-james-cancer-center-columbus-ohio.pdf
    • http://riverside-resort.net/1/warnings-visions-messages-from-irish-visionaries-today-paperback-by.pdf
    • http://uncpbisdegree.com/1/stability-of-elastic-structures-1st-edition.pdf
    • http://uncpbisdegree.com/1/straight-talk-samsung-galaxy-proclaim-user-manual.pdf
    • http://riverside-resort.net/1/what-is-an-application-paper.pdf
    • http://uncpbisdegree.com/1/staar-2014-algebra-1-answers-key.pdf
    • http://uncpbisdegree.com/1/the-happy-reader-issue-2.pdf
    • http://uncpbisdegree.com/1/the-ego-trick-in-search-of-self-julian-baggini.pdf
    • http://riverside-resort.net/1/wedding-cards-design-for-muslim.pdf
    • http://go.microsoft.c
    • http://www.dailymail.co.uk/home/gardening/article-1052121/How-brilliant-outdoor-space-moving--applying-planning-permission.html
    • http://www.dwr.com/subdesigners
    • http://sweetmagnoliasfarm.blogspot.com/
    • https://www.domain.com.au/news/
    • http://www.visitcalifornia.com/uk/trip/highway-one-classic
    • http://fallout.wikia.com/wiki/People%27s_Bank_of_Point_Lookout
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409
    • https://go.microsoft.com/fwlink/?linkid=868922
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409
    • http://go.microsoft.com/fwlink/?LinkID=617297

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000045dd.bin
88e3d70adf5fcc8107cc58473cc4d73574e77c7db7a5548978f7efcaf581ec9e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x45DD 10192 bytes
font_01_sfnt_off0000665e.bin
a81e4f9457978ba9bcdca481b70a0038e31cbd40438b28c800cda5613c5e9148		 pdf-font-stream PDF embedded font (sfnt) at offset 0x665E 7540 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.