Malicious PDF — malware analysis report

Static analysis result for SHA-256 8b8339e2de812306…

MALICIOUS

PDF

35.2 KB Created: 2018-06-11 09:01:57 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7) First seen: 2020-09-24
MD5: 3ca4872ce7adc21420a8968fcee3a6ae SHA-1: b12d963b572c09ebccc99c58e2568d2b34c3d968 SHA-256: 8b8339e2de8123062adbc566b84170c7b7de538c3d9cbd790b2884165c7b6a5d
130 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9395

Heuristics 4

  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARM
    PDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=t4-free-wiring-diagrams.pdf In PDF document text
    • http://uncpbisdegree.com/download4.php?q=t4-free-wiring-diagrams.pdfIn PDF document text
    • http://www.naemotors.com/wp-content/uploads/2011/08/Single-Phase1.pdfIn PDF document text
    • http://www.abcccodes.com/vw-t4-wiring-diagram-pdf/In PDF document text
    • http://www.zytrax.com/tech/layer_1/cables/tech_lan.htmIn PDF document text
    • http://www.rigmasterpower.com/support/support-materials/In PDF document text
    • http://www.lorencook.com/PDFs/IOMs/Gemini_IOM.pdfIn PDF document text
    • http://www.vwcamperguide.com/html/vw_t4_buyers_guide.htmlIn PDF document text
    • http://www.autolumination.com/conversion.htmlIn PDF document text
    • http://www.clubvw.org.au/oldart029In PDF document text
    • http://burnscamp.org.uk/3/1/subaru-sti-2005-wiring-diagram.pdfIn PDF document text
    • https://www.lsenginediy.com/ls-swaps-wiring-harness-and-wiring-guide/In PDF document text
    • http://www.campervanconversion.co.uk/campervan-conversions-bookIn PDF document text
    • http://www.atos.com/dam/jcr:2cba1353-6dd2-4480-ae81-60056733dddc/E120.pdfIn PDF document text
    • http://www.lathes.co.uk/manuals/In PDF document text
    • https://www.carlsalter.com/all-motorcycle-manuals.aspIn PDF document text
    • http://www.greenspun.com/bboard/q-and-a.tcl?topic=Elevator+Problem+DiscussionIn PDF document text
    • http://www.autorepairmanuals.biz/page/372807In PDF document text
    • http://boatinfo.no/lib/mercruiser/manuals/mercruiser41.htmlIn PDF document text
    • http://www.epanorama.net/links/tele_lan.htmlIn PDF document text
    • http://www.iceweb.com.au/Ex-web/electstandards.htmIn PDF document text
    • http://riverside-resort.net/1/under-the-skin-michel-faber.pdfIn PDF document text
    • http://riverside-resort.net/1/tulipa-a-photographer-botanical.pdfIn PDF document text
    • http://riverside-resort.net/1/solution-manual-of-managerial-finance-by-gitman.pdfIn PDF document text
    • http://riverside-resort.net/1/thomas-jefferson-estate-tax.pdfIn PDF document text
    • http://riverside-resort.net/1/toyota-van-1988-engine-compartment-fuse-diagram.pdfIn PDF document text
    • http://riverside-resort.net/1/study-guide-for-sports-medicine.pdfIn PDF document text
    • http://riverside-resort.net/1/top-notch-second-edition-unit-7.pdfIn PDF document text
    • http://riverside-resort.net/1/the-reckoning-new-heroes-quantum-prophecy-3-michael-carroll.pdfIn PDF document text
    • http://riverside-resort.net/1/the-last-surgeon.pdfIn PDF document text
    • http://riverside-resort.net/1/title-student-solutions-manual-for-stewarts-essential.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.practicalmachinist.com/vb/south-bend-lathes/square-d-drum-switch-wiring-252154/In PDF document text
    • http://www.practicalmachinist.com/vb/south-bend-lathes/In PDF document text
    • http://www.qsl.net/g4wpw/date.htmlIn PDF document text
    • http://www.moog.com/literature/ICD/Moog-ServoMotors-ExD_Series-Catalog-en.pdfIn PDF document text
    • https://www.manualslib.com/manual/1313539/Mitsubishi-Electric-Fr-F820-00077.htmlIn PDF document text
    • https://www.manualslib.com/brand/mitsubishi-electric/inverter.htmlIn PDF document text
    • https://www.manualslib.com/products/Mitsubishi-Electric-Fr-F820-00077-8800001.htmlIn PDF document text
    • https://en.wikipedia.org/wiki/NASCARIn PDF document text
    • https://www.scribd.com/document/113104774/TM-9-2320-392-13PIn PDF document text
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409In PDF document text
    • https://go.microsoft.com/fwlink/?linkid=868922In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=617297In PDF document text
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004c07.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4C07 10804 bytes
SHA-256: 5d87b77fef35add8673f6e1d71081b5c27bd60ba9ea01ee875c6f2d47f2ce624
font_01_sfnt_off00006e48.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6E48 7100 bytes
SHA-256: 345c2bab96da1f163e26ed4d8e06f0586e06359c42a532a13b408e742779fa8a