Malicious PDF — malware analysis report

Static analysis result for SHA-256 aaf7180d4b9fac19…

MALICIOUS

PDF

47.2 KB Created: 2018-06-11 09:07:19 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7)
MD5: f2fa9c9367533ed71cb383a842ef841f SHA-1: ba843109d6024e63ac3e66d8c5b67701431b7c7c SHA-256: aaf7180d4b9fac1965ba384b0bb39286554bdf2ae71251243499c146073d268b
102 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.001 Malicious Link: Malicious Link T1566 Phishing T1566.002 Phishing: Spearphishing Attachment

The PDF document uses a lure related to wine and fish pairings to trick users into downloading a malicious file. The heuristic 'PDF_SEO_FAKE_DOWNLOAD' and the presence of external URIs pointing to 'uncpbisdegree.com' strongly indicate a phishing attempt. The document body contains multiple URLs, including the primary malicious download link, reinforcing the social engineering aspect.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5580

Heuristics 4

  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=wine-with-fish.pdf
    • http://uncpbisdegree.com/download4.php?q=wine-with-fish.pdf
    • http://www.theworldwidewine.com/Wine_and_food/wine-and-fish.php
    • https://www.packagingoftheworld.com/2018/05/fish-club-wine.html
    • https://www.coastalliving.com/food/dinner-in-a-breeze/seafood-wine-pairings
    • https://www.coastalliving.com/food
    • https://www.coastalliving.com/food/dinner-in-a-breeze
    • http://www.gayot.com/wine/top10seafood-wines/main.html
    • https://learn.winecoolerdirect.com/wine-and-fish-pairings/
    • https://learn.winecoolerdirect.com/wine-info/
    • https://learn.winecoolerdirect.com/wine-info/tasting-guide/
    • http://susieandpeter.com/wine-for-fishnchips/
    • https://www.downthecove.com/food-drink/wine-pairing-guide/
    • http://www.hellovino.com/wine/pairing/fish
    • https://www.ourstate.com/wine-and-fish-pairing-guide/
    • https://www.wineturtle.com/best-wine-with-salmon-fish/
    • https://www.matchingfoodandwine.com/
    • https://www.letitwine.com/en/chianti-red-wine-that-pairs-with-fish/
    • https://www.letitwine.com/en/
    • https://www.letitwine.com/en/category/style-and-food/
    • http://eat.snooth.com/recipe-pairing-guide/seafood/fried-fish/
    • http://eat.snooth.com/pairing-guide/
    • http://eat.snooth.com/recipe-pairing-guide/seafood/
    • http://www.wideopenspaces.com/how-to-pair-wine-with-fish-freshwater-edition/
    • http://thehealthyfish.com/wine-pairing-101-best-wines-pair-seafood/
    • http://thehealthyfish.com/category/recipes/
    • http://www.enjoyhopewellvalleywines.com/wine-with-seafood.html
    • http://www.enjoyhopewellvalleywines.com/wine-and-fish.html
    • http://www.hellovino.com/wine/pairing/fish/flounder
    • http://www.gayot.com/wine/pairing/seafood.html
    • https://cookeatshare.com/popular/wine-with-fish-pie
    • http://www.drvino.com/2009/06/11/fish-and-chips-food-wine-pairing/
    • https://www.matchingfoodandwine.com/news/pairings/4_good_wine_styles_to_pair_with_fish_pie__/
    • http://thewinesisters.com/blog/2013/02/super-bowl-sunday-dinner-beer-battered-fish-n-chips/
    • http://riverside-resort.net/1/solutions-work-answers-unit-9.pdf
    • http://riverside-resort.net/1/the-alchemist-book-questions.pdf
    • http://riverside-resort.net/1/the-ipad-for-photographers-master-the-newest-tool-in-your-camera-bag.pdf
    • http://riverside-resort.net/1/the-procedure.pdf
    • http://riverside-resort.net/1/the-distance-manager-a-hands-on-guide-to-managing-off-site-employees-and-virtual-teams.pdf
    • http://riverside-resort.net/1/tracking-the-man-beasts-sasquatch-vampires-zombies-and-more.pdf
    • http://riverside-resort.net/1/suzuki-f10d-engine-manual.pdf
    • http://riverside-resort.net/1/topical-review-company-earth-science-answers.pdf
    • http://riverside-resort.net/1/the-healthy-pc-preventive-care-home-remedies-and-green-computing-2nd-edition.pdf
    • http://riverside-resort.net/1/the-journal-of-english-and-germanic-philology.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://winefolly.com/tutorial/wine-with-fish-pairing-guide/
    • https://www.thespruceeats.com/pairing-wine-with-seafood-1300638
    • https://www.foodandwine.com/articles/best-wines-for-seafood
    • https://www.williams-sonoma.com/recipe/tip/pairing-wine-with-fish-and-shellfish.html
    +38 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007b3d.bin
791726363d415bebed75097572daa6f716fe56b29e74bec2ab775eb991a06944		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B3D 10308 bytes
font_01_sfnt_off00009bfe.bin
410f3ae6e2c928998360ca9b7c85267dbc42daa9ffb054339adf1e31ae93bc9f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9BFE 6352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.