Malicious PDF — malware analysis report

Static analysis result for SHA-256 a33355a71031e405…

MALICIOUS

PDF

37.0 KB Created: 2018-06-11 08:05:17 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7) First seen: 2020-08-25
MD5: c0e3ac6e1939300062b3eb2ed755b32c SHA-1: 3dea7d90976d87e6dd5bfa7b32edc8f0e9ff380a SHA-256: a33355a71031e4056f09cd544bd58aa7320491a5b9d8b3c5181fe341274c1555
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains embedded URLs and a document body that mimics interview preparation material for Walmart cashier positions. The presence of a PDF_URI heuristic firing and the ML_NYX_PDF_MALICIOUS classification strongly suggest malicious intent. The document body includes multiple links to external sites, including one that appears to be a direct download link for a PDF, indicating a likely attempt to deliver a malicious payload or phish for credentials under the guise of job application assistance.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9062

Heuristics 4

  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARM
    PDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=walmart-cashier-interview-questions-and-answers.pdf In PDF document text
    • http://uncpbisdegree.com/download4.php?q=walmart-cashier-interview-questions-and-answers.pdfIn PDF document text
    • http://jobinterviewat.com/wal-mart-interview-guide/In PDF document text
    • https://www.job-applications.com/walmart-job-interview-tips/In PDF document text
    • https://www.job-applications.com/interview-tips/In PDF document text
    • https://toughnickel.com/finding-job/Walmart-hiringIn PDF document text
    • https://toughnickel.com/finding-job/In PDF document text
    • https://theinterview.top/best-career-aspirations-samples-interview-resume/In PDF document text
    • https://jobapplicationreview.com/store-applications/department-store-job-applications/walmart-application-career-guide/In PDF document text
    • https://corporateofficehqinfo.com/walmart-corporate-office/In PDF document text
    • http://www.headquartersinfo.com/walmart-headquarters-information/In PDF document text
    • http://www.headquartersinfo.com/category/retailers/In PDF document text
    • http://www.jwj.org/walmart-store-manager-exposes-systematic-attack-on-employee-benefitsIn PDF document text
    • http://corporateofficehq.com/walmart-corporate-office/In PDF document text
    • http://www.sequenceinc.com/fraudfiles/2013/05/primerica-financial-services-the-fake-job-interview/In PDF document text
    • https://jobapplicationreview.com/store-applications/home-depot-application-career-guide/In PDF document text
    • http://www.onedayonejob.com/jobs/the-landers-group/In PDF document text
    • http://www.myemploymentlawyer.com/cgi-bin/mel/app.cgi?action=browse&cat=Unemployment&type=questionsIn PDF document text
    • http://www.myemploymentlawyer.com/all/UnemploymentIn PDF document text
    • http://www.myemploymentlawyer.com/cgi-bin/mel/app.cgi?action=browse&cat=DefamationIn PDF document text
    • http://www.myemploymentlawyer.com/all/DefamationIn PDF document text
    • http://www.datagrabber.org/who-wants-to-be-a-millionaire/facebook-millionaire-final-answer-cheat-list/In PDF document text
    • https://knifeup.com/cutco-knives-and-vector-marketing-is-a-scam/In PDF document text
    • http://corporateofficehq.com/dollar-tree-corporate-office/In PDF document text
    • http://www.contactcustomerservicenow.com/contact-target-customer-service/In PDF document text
    • https://www.diattorney.com/sedgwick-cms/In PDF document text
    • https://www.fox25boston.com/news/discovery-of-hidden-gps-tracker-leads-to-mass-supreme-court-case/742286360In PDF document text
    • http://riverside-resort.net/1/what-mineral-is-used-in-drywall.pdfIn PDF document text
    • http://uncpbisdegree.com/1/the-hill-and-beyond-childrens-television-drama-an-encyclopedia.pdfIn PDF document text
    • http://uncpbisdegree.com/1/solutions-to-the-2015-ap-calculus-response.pdfIn PDF document text
    • http://riverside-resort.net/1/urinary-system-word-search.pdfIn PDF document text
    • http://uncpbisdegree.com/1/sixty-acres-and-a-bride-ladies-of-caldwell-county-1-regina-jennings.pdfIn PDF document text
    • http://riverside-resort.net/1/who-wrote-the-doi.pdfIn PDF document text
    • http://uncpbisdegree.com/1/the-dark-side-of-innocence-growing-up-bipolar-kindle-edition-terri-cheney.pdfIn PDF document text
    • http://uncpbisdegree.com/1/the-compact-guide-to-the-worlds-religions-compact-encyclopedia-compact-guides.pdfIn PDF document text
    • http://uncpbisdegree.com/1/silver-wattle.pdfIn PDF document text
    • http://riverside-resort.net/1/wool-water-gloucestershire-woollen-industry-and-its-mills.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://www.snagajob.com/resources/the-right-answer-to-assessment-questions/In PDF document text
    • https://www.snagajob.com/resources/In PDF document text
    • https://www.snagajob.com/resources/applying/In PDF document text
    • http://www.askamanager.org/2018/02/is-it-okay-to-turn-down-a-job-in-the-middle-of-the-interview.htmlIn PDF document text
    • https://www.care.com/c/questions/22848/am-i-being-scammed/In PDF document text
    • https://mail.google.com/mail/u/0/In PDF document text
    • https://www.snagajob.com/resources/whos-really-hiring-ive-applied-to-tons-of-jobs/In PDF document text
    • https://www.snagajob.com/resources/resumes-applications/In PDF document text
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409In PDF document text
    • https://go.microsoft.com/fwlink/?linkid=868922In PDF document text
    +3 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000054b7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x54B7 10268 bytes
SHA-256: 3b330440abe15244bd1b2b5b0529cfcedac1f539f18a71867370a60a92197c1a
font_01_sfnt_off0000755b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x755B 7068 bytes
SHA-256: f7df278a22887fa13349264c10533255cd305ca8143e8b2743647e7137a19ea7