Malicious PDF — malware analysis report

Static analysis result for SHA-256 922dad5ff2cea246…

MALICIOUS

PDF

30.1 KB Created: 2018-06-11 09:10:15 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7) First seen: 2020-09-24
MD5: 12f8cd3368b2198f896e68e7dfee6062 SHA-1: 7978fc7a76b1aca2e9aded228f37058ab71d054d SHA-256: 922dad5ff2cea2465eeab118f2b679981fdab724df438b81eb74b1792f9220ae
130 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded URLs that point to a suspicious domain, likely intended to trick the user into downloading a malicious file. The ML classifier also flagged this PDF as malicious. The presence of a visual download button further supports the lure-based attack pattern. No scripts were extracted, limiting the ability to determine the exact payload or persistence mechanisms.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9382

Heuristics 4

  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARM
    PDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=the-letters-of-hildegard-of-bingen-vol-ii.pdf In PDF document text
    • http://uncpbisdegree.com/download4.php?q=the-letters-of-hildegard-of-bingen-vol-ii.pdfIn PDF document text
    • http://www.hildegardiana.es/36otrasobras.htmlIn PDF document text
    • http://riverside-resort.net/1/the-wilderness-samantha-harvey.pdfIn PDF document text
    • http://riverside-resort.net/1/togaf-version-9-1-togaf-series.pdfIn PDF document text
    • http://riverside-resort.net/1/solution-manual-calculus-michael-spivak-4th-edition.pdfIn PDF document text
    • http://riverside-resort.net/1/service-manuals-autos-sale.pdfIn PDF document text
    • http://riverside-resort.net/1/sun-parlor-critical-thinking-answers.pdfIn PDF document text
    • http://riverside-resort.net/1/solution-880-user-manual.pdfIn PDF document text
    • http://riverside-resort.net/1/statistics-test-13c-answers.pdfIn PDF document text
    • http://riverside-resort.net/1/thermoelectric-power-in-nanostructured-materials-strong-magnetic-fields.pdfIn PDF document text
    • http://riverside-resort.net/1/toy-making-at-home-how-to-make-a-hundred-toys-from-odds-and-ends-illustrated.pdfIn PDF document text
    • http://riverside-resort.net/1/the-palestinian-press-as-shaper-of-public-opinion-1929-39-writing-up-a-storm.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://en.wikipedia.org/wiki/Hildegard_of_BingenIn PDF document text
    • http://www.newadvent.org/cathen/07351a.htmIn PDF document text
    • http://www.newadvent.org/cathenIn PDF document text
    • http://www.newadvent.org/cathen/h.htmIn PDF document text
    • https://en.wikipedia.org/wiki/Ignatius_of_AntiochIn PDF document text
    • http://dx.doi.org/In PDF document text
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409In PDF document text
    • https://go.microsoft.com/fwlink/?linkid=868922In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=617297In PDF document text
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003b42.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3B42 10292 bytes
SHA-256: 24c75689745bb19f134213a85f8ff1ee2cf8443236556229b82850172b915f40
font_01_sfnt_off00005be7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5BE7 7148 bytes
SHA-256: 0dc0583c4dc8fb98c66358d33dea50f0d6a534ec9ccb491a90ea764445d7f5f7

Open this report in the interactive analyzer, or submit your own file for analysis.