Malicious PDF — malware analysis report

Static analysis result for SHA-256 c90d25348b63b583…

MALICIOUS

PDF

31.6 KB Created: 2018-06-11 09:03:22 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7) First seen: 2021-09-29
MD5: 00ed57fadb20fcbecf86690d6aef5c4c SHA-1: 1523128d6d9e782435d30bb68ad031c336aa284b SHA-256: c90d25348b63b583f8304b4fd9ae0c62a47b34a3cfffee032c692064a779b38c
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains heuristics indicating it is a fake download lure, specifically using SEO poisoning to trick users into downloading a malicious file. The embedded URLs and document body point to a download link for a book, which is likely a pretext to deliver malware. The ML classifier also flagged this PDF as malicious with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9202

Heuristics 4

  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=the-house-of-the-spirits-a-novel.pdf PDF link annotation
    • http://uncpbisdegree.com/download4.php?q=the-house-of-the-spirits-a-novel.pdfIn PDF document text
    • http://www.paperstarter.com/houseofthespirits.htmIn PDF document text
    • http://fewwhiskey.com/In PDF document text
    • http://game-owl.com/cursed-house-5/In PDF document text
    • http://maisonferrand.com/en/In PDF document text
    • http://narrative.ly/the-sisters-who-spoke-to-spirits/In PDF document text
    • http://uncpbisdegree.com/1/state-of-pakistans-children-2002.pdfIn PDF document text
    • http://riverside-resort.net/1/vietnam-trivia-questions-and-answers.pdfIn PDF document text
    • http://uncpbisdegree.com/1/sports-physiotherapy.pdfIn PDF document text
    • http://riverside-resort.net/1/wood-deterioration-and-preservation-advances-in-our-changing-world.pdfIn PDF document text
    • http://riverside-resort.net/1/windows-7-faithe-wempen.pdfIn PDF document text
    • http://uncpbisdegree.com/1/springboard-unit-2-quiz-2-answers.pdfIn PDF document text
    • http://uncpbisdegree.com/1/the-alchemist-audio-book.pdfIn PDF document text
    • http://uncpbisdegree.com/1/settling-the-score-talkin-chicago-sports.pdfIn PDF document text
    • http://uncpbisdegree.com/1/solution-document-template.pdfIn PDF document text
    • http://uncpbisdegree.com/1/the-art-of-surgery-exceptional-cases-unique-solutions-1st-edition.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://en.wikipedia.org/wiki/The_House_of_the_SpiritsIn PDF document text
    • http://www.sparknotes.com/lit/houseofspirits/In PDF document text
    • https://www.imdb.com/title/tt0107151/In PDF document text
    • https://www.commonsensemedia.org/book-reviews/the-house-of-the-spiritsIn PDF document text
    • https://www.rottentomatoes.com/m/the_house_of_the_spirits/In PDF document text
    • https://en.wikipedia.org/wiki/Winchester_Mystery_HouseIn PDF document text
    • https://www.novelupdates.com/series/my-house-is-a-magic-power-spot-just-by-living-there-i-become-the-strongest-in-the-world/In PDF document text
    • https://www.nytimes.com/2012/10/14/books/review/the-round-house-by-louise-erdrich.htmlIn PDF document text
    • http://www.pbs.org/program/retired-site/In PDF document text
    • http://www.bbc.co.uk/worldservice/specials/133_wbc_archive_new/page2.shtmlIn PDF document text
    • http://www.vulture.com/2017/05/house-of-cards-recap-season-5-episode-10.htmlIn PDF document text
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409In PDF document text
    • https://go.microsoft.com/fwlink/?linkid=868922In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=617297In PDF document text
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000420a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x420A 10072 bytes
SHA-256: 839e79c851336c4214658d574c39bfe19cfd76135e1d81155488ae0f4a4da0a6
font_01_sfnt_off0000623c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x623C 6768 bytes
SHA-256: df277746a24790b79146fe21eb058ae7e47ebc5c2dc471bfa7a9c8e5b9cf8d17

Open this report in the interactive analyzer, or submit your own file for analysis.