Malicious PDF — malware analysis report

Static analysis result for SHA-256 a5576dca13ba443f…

MALICIOUS

PDF

32.7 KB Created: 2018-06-11 09:19:48 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7) First seen: 2020-08-25
MD5: 811e50c850d3dced354a11ab24c5d428 SHA-1: 37bfcca6f27a42fd6884f9beb963e7de27af16c2 SHA-256: a5576dca13ba443fdc811841e2dfd56b5b4ebf57dc5c504b5759ee32f45ce47b
130 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9123

Heuristics 4

  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARM
    PDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=syria-the-fall-of-the-house-of-assad-new-updated-edition.pdf In PDF document text
    • http://uncpbisdegree.com/download4.php?q=syria-the-fall-of-the-house-of-assad-new-updated-edition.pdfIn PDF document text
    • http://www.realjewnews.com/?p=1200In PDF document text
    • http://www.bollyn.com/In PDF document text
    • http://riverside-resort.net/1/students-projects-in-environmental-science-ebook.pdfIn PDF document text
    • http://riverside-resort.net/1/tiddly-jinx.pdfIn PDF document text
    • http://riverside-resort.net/1/surprise-crochet-sweaters-for-baby.pdfIn PDF document text
    • http://riverside-resort.net/1/springboard-algebra-2-pg-66-answer.pdfIn PDF document text
    • http://riverside-resort.net/1/the-hours-michael-cunningham.pdfIn PDF document text
    • http://riverside-resort.net/1/study-guide-for-biology-by-johnson-raven.pdfIn PDF document text
    • http://riverside-resort.net/1/toshiba-tv-repair-centre.pdfIn PDF document text
    • http://riverside-resort.net/1/the-sense-of-adharma.pdfIn PDF document text
    • http://riverside-resort.net/1/soccer-the-ultimate-guide-to-the-beautiful-game.pdfIn PDF document text
    • http://riverside-resort.net/1/taleemul-haq-an-authentic-compilation-on-the-five-fundamental-of-islam-reprint-edition.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://www.cnn.com/2018/03/15/middleeast/assad-the-victor-tim-lister-intl/index.htmlIn PDF document text
    • https://www.usatoday.com/story/opinion/2018/04/09/syria-assad-donald-trump-chemical-attack-column/499341002/In PDF document text
    • http://www.dailymail.co.uk/news/article-2414139/Syria-Russia-vows-help-Syria-America-carries-military-strikes-Assad-s-regime.htmlIn PDF document text
    • http://www.dailymail.co.uk/news/article-2123853/Syria-Hillary-Clinton-says-Assad-go.htmlIn PDF document text
    • https://en.wikipedia.org/wiki/Operation_OrchardIn PDF document text
    • https://www.huffingtonpost.co.uk/entry/uk-academics-pro-assad-conspiracy-theories-about-syria_uk_5aa51ea7e4b01b9b0a3c4b10In PDF document text
    • https://abcnews.go.com/internationalIn PDF document text
    • http://www.apnews.com/In PDF document text
    • https://www.cbsnews.com/live/In PDF document text
    • https://en.wikipedia.org/wiki/Islamic_State_of_Iraq_and_the_LevantIn PDF document text
    • https://www.timesofisrael.com/liveblog-may-9-2018/In PDF document text
    • https://www.washingtontimes.com/communities/In PDF document text
    • https://www.jpost.com/Israel-NewsIn PDF document text
    • http://edition.cnn.com/TRANSCRIPTS/sn.htmlIn PDF document text
    • https://www.cnn.com/2018/04/09/us/five-things-april-9-trnd/index.htmlIn PDF document text
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409In PDF document text
    • https://go.microsoft.com/fwlink/?linkid=868922In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=617297In PDF document text
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004520.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4520 10328 bytes
SHA-256: a358fcb638bac8ec1f9b31e6d602340e680c37bdaeb78835c0842600ac080cf4
font_01_sfnt_off000065e8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x65E8 6924 bytes
SHA-256: 45bb2b0f37bbcde51098617ed95674d514c38f57b0f4ef8175537a07f2c75e4e

Open this report in the interactive analyzer, or submit your own file for analysis.