Malicious PDF — malware analysis report

Static analysis result for SHA-256 c5249054a5409ddb…

MALICIOUS

PDF

36.7 KB Created: 2018-06-11 09:36:35 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7)
MD5: 501e9c9685288931a43ec4f688089428 SHA-1: debc111fcb85d5823bc1a3dd96c6a0d5864283cd SHA-256: c5249054a5409ddb00c3ae8d14aa3b786967fa91995b28d3dc2a49a71959c156
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains multiple heuristics indicating a malicious workflow, specifically the 'PDF_REPEATED_PAYLOAD_LINK_LURE' and 'PDF_URI' firings. These point to the use of invisible and repeated links to trick the user into downloading a payload, disguised as a Toys R Us coupon code. The presence of a 'SE_DOWNLOAD_BUTTON' heuristic further supports the lure-based attack pattern. The primary URLs associated with these lures are http://uncpbisdegree.com/download3.php?q=toys-r-us-coupon-code.pdf and https://givingassistant.org/coupon-codes/toysrus.com.

Heuristics 4

  • Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE
    PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=toys-r-us-coupon-code.pdf
    • http://uncpbisdegree.com/download4.php?q=toys-r-us-coupon-code.pdf
    • https://givingassistant.org/coupon-codes/toysrus.com
    • https://www.couponsherpa.com/toys-r-us/
    • https://www.couponsherpa.com/category/toys-and-games/
    • https://www.couponchief.com/toysrus
    • http://www.southernsavers.com/toys-r-us-clearance-sale-20-coupon/
    • http://www.southernsavers.com/kids/
    • https://givingassistant.org/coupon-codes/babiesrus.com
    • http://www.southernsavers.com/toys-r-us-40-off-bikes-for-kids-adults/
    • http://www.southernsavers.com/online-shopping/
    • http://corporateofficehq.com/toys-r-us-corporate-office/
    • https://www.save.ca/flyers/toys-r-us
    • https://www.dealcatcher.com/disney-store-coupons
    • http://www.coupongreat.com/detail/einsteinbros.com.html
    • http://www.coupongreat.com/Restaurant/
    • http://www.coupongreat.com/detail/beefobradys.com.html
    • http://uncpbisdegree.com/1/sharks-stained-glass-coloring-book-english-edition.pdf
    • http://uncpbisdegree.com/1/stewart-essential-calculus-solutions-manual.pdf
    • http://riverside-resort.net/1/windward-boardshop-coupon.pdf
    • http://uncpbisdegree.com/1/teaching-special-students-in-general-education-classrooms-6th.pdf
    • http://uncpbisdegree.com/1/shipmasters-business-self-examiner-book.pdf
    • http://uncpbisdegree.com/1/the-election-process.pdf
    • http://uncpbisdegree.com/1/student-response-packet-badminton-answers.pdf
    • http://riverside-resort.net/1/vomiting-after-acupuncture.pdf
    • http://riverside-resort.net/1/va-national-cad-standard-application-guide.pdf
    • http://uncpbisdegree.com/1/sheet-metal-worker-union-test-study-guide.pdf
    • https://www.toysrus.com/toys/deals/great-deals-coupons-sales
    • https://www.groupon.com/coupons/stores/toysrus.com
    • https://www.groupon.com/coupons
    • https://www.groupon.com/coupons/categories/toys
    • https://www.toysrus.com/
    • http://www.tmz.com/2017/12/21/gypsy-sisters-star-mellie-stanley-arrested/
    • https://www.retailmenot.com/view/toysrus.com
    • https://www.topcashback.co.uk/toys-r-us/
    • https://slickdeals.net/article/news/toys-r-us-liquidation-sales-are-scheduled-to-begin-march-22nd/
    • https://www.coupons.com/coupon-codes/
    • https://www.wral.com/toys-r-us-closing-all-u-s-stores/17418380/
    • https://www.target.com/
    • https://www.wral.com/toys-r-us-durham-locations-closing/17288710/
    • https://www.offers.com/babies-r-us-canada/
    • https://www.offers.com/c/baby/
    • https://www.geekbuying.com/Promotion/Festival_CouponZone
    • http://www.leapfrog.com/en-us/home
    • https://www.topcashback.com/babies-r-us/
    • https://couponfollow.com/site/george.com
    • https://www.coupons.com/coupon-codes/improvements/
    • https://www.coupons.com/coupon-codes/categories/home-garden/
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409
    +3 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000554e.bin
b6dd793b9e393852c266be20fe92c2c9476989463b8d6c31ab55051a7621dfa7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x554E 9964 bytes
font_01_sfnt_off00007517.bin
786660ef62a41826dd84be65a8cbc79c190a01fc8602e33b980e4d5b1eb6e0e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7517 6492 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.