Malicious PDF — malware analysis report

Static analysis result for SHA-256 a266b590b560ed7d…

MALICIOUS

PDF

35.0 KB Created: 2018-06-11 08:07:52 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7)
MD5: d42d795828e1407d28910bd8d52ab518 SHA-1: 3bf0c48bcf7c37541d860e7dea25e1bb9584140f SHA-256: a266b590b560ed7d10607cdb997cf9500a8ecc660fbe874c6d3f5fe3709bdabe
70 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.002 Spearphishing Attachment

The file is identified as a malicious PDF dropper by ClamAV. The document body contains multiple instances of a URL, 'http://uncpbisdegree.com/download3.php?q=the-myth-of-sisyphus-and-other-essays.pdf', which is also flagged as an external URI. This suggests the PDF's primary function is to trick the user into clicking this link, likely leading to the download of a secondary malicious payload. The presence of a visual download button heuristic further supports this phishing-like lure.

Heuristics 4

  • ClamAV: Pdf.Dropper.Agent-9299504-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-9299504-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=the-myth-of-sisyphus-and-other-essays.pdf
    • http://uncpbisdegree.com/download4.php?q=the-myth-of-sisyphus-and-other-essays.pdf
    • http://www.123helpme.com/search.asp?text=creation+myth
    • http://www.garlikov.com/
    • http://www.123helpme.com/search.asp?text=paradise+lost
    • http://www.mythweb.com/teachers/tips/tips.html
    • http://anandpublications.org/
    • http://aldebakhus.nl/?civil=1861-civil-essays-war.asp
    • http://www.cieliterature.com/reservist/
    • http://placeworks.com/
    • http://placeworks.com/about-us/leadership/
    • https://essayerudite.com/
    • http://www.friesian.com/existent.htm
    • http://kumariexpress.com/
    • http://re-markings.com/OLDIS.htm
    • http://riverside-resort.net/1/uk-specification-for-ground-investigation.pdf
    • http://riverside-resort.net/1/siemens-surpresso-compact-manual-download.pdf
    • http://riverside-resort.net/1/the-modern-rules-of-style.pdf
    • http://riverside-resort.net/1/solution-for-schaum-calculus-4th-edition.pdf
    • http://riverside-resort.net/1/the-prayer-shawl-ministry-volume-2-leisure-arts-4622.pdf
    • http://riverside-resort.net/1/the-autobiography-of-andrew-carnegie-and-the-gospel-of-wealth.pdf
    • http://riverside-resort.net/1/slow-seduction-struck-by-lightning-2-cecilia-tan.pdf
    • http://riverside-resort.net/1/the-art-of-g-r-santosh.pdf
    • http://riverside-resort.net/1/spon-landscape-contract-handbook-a-guide-to-good-practice-and-procedures.pdf
    • http://riverside-resort.net/1/toshiba-aquilion-ct-user-manual.pdf
    • http://riverside-resort.net/1/siemens-su
    • https://www.gradesaver.com/the-myth-of-sisyphus
    • http://www.sparknotes.com/philosophy/sisyphus/summary/
    • http://www.sparknotes.com/philosophy/sisyphus/section11/
    • https://plato.stanford.edu/entries/camus/
    • https://en.wikipedia.org/wiki/Persephone
    • https://en.wikipedia.org/wiki/Albert_Camus
    • https://plato.stanford.edu/entries/suicide/
    • https://en.wikiquote.org/wiki/Albert_Camus
    • http://www.iep.utm.edu/camus/
    • https://www.ukessays.com/essays/english-literature/chief-characteristics-of-victorian-period-essay.php
    • https://www.ukessays.com/essays/
    • https://www.ukessays.com/essays/english-literature/
    • https://www.amazon.com/Stranger-Albert-Camus/dp/0679720200
    • https://www.amazon.com/books-used-books-textbooks/b?ie=UTF8&node=283155
    • https://www.amazon.com/Literature-Fiction-Books/b?ie=UTF8&node=17
    • https://www.amazon.com/World-Literature-Fiction-Books/b?ie=UTF8&node=10311
    • http://go.microsoft.com/fwlink/?LinkID=617350
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409
    • https://go.microsoft.com/fwlink/?linkid=868922
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409
    • http://go.microsoft.com/fwlink/?LinkID=617297

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004d90.bin
dac19ff9f983efcd6cbf4d412aff604f0809909c6c8a28e1fa883aa895eed647		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4D90 10264 bytes
font_01_sfnt_off00006e24.bin
2ef8ddd66ede3374fda2e1cc3812c73211ef571487f438aa35fb827cc0251ed3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E24 6852 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.