Malicious PDF — malware analysis report

Static analysis result for SHA-256 cf83519a8e67c957…

MALICIOUS

PDF

37.4 KB Created: 2018-06-11 08:46:57 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7) First seen: 2020-09-07
MD5: 8f0108424fec0b702490febf961afcc1 SHA-1: 072191ca30eb61acbcaec01ba3f2a42f144c0de1 SHA-256: cf83519a8e67c95720331b191ce7396cf6ecf792a0aa3af6cbf92ff9540119a3
130 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.8007

Heuristics 4

  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARM
    PDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=the-arabic-alphabet-flash-cards-write-and-wipe.pdf In PDF document text
    • http://uncpbisdegree.com/download4.php?q=the-arabic-alphabet-flash-cards-write-and-wipe.pdfIn PDF document text
    • http://www.shtfplan.com/headline-news/white-house-prepares-for-emp-that-would-wipe-out-power-render-cellphones-and-internet-useless_11062015In PDF document text
    • https://www.businessballs.com/amusement-stress-relief/cliches-and-expressions-of-origin-1809/In PDF document text
    • https://www.businessballs.com/course/In PDF document text
    • https://www.businessballs.com/amusement-stress-relief/In PDF document text
    • http://www.bscsales.com/documents/FY18Q2-AbilityOneData-BSCFinal.xlsxIn PDF document text
    • http://jujaitaly.net/In PDF document text
    • https://www.spirit-animals.com/spider/In PDF document text
    • https://www.spirit-animals.com/category/insect-arachnid/In PDF document text
    • http://www.tomegatherion.co.uk/biography.htmIn PDF document text
    • http://techotv.com/top-10-plus-yu-yureka-demerits-cons-problems-solutions/In PDF document text
    • https://www.globalgreyebooks.com/content/books/ebooks/orlando-a-biography.epubIn PDF document text
    • http://prophecyfulfillment.com/In PDF document text
    • http://www.manythings.org/vocabulary/lists/a/words.php?f=3eslIn PDF document text
    • http://www.aaronswwadventures.com/2013/01/leaving-tel-aviv-israel-airport-security-ben-gurion/In PDF document text
    • http://www.tartanplace.com/tartanhistory/concentrationcamps.htmlIn PDF document text
    • http://www.realjewnews.com/?p=555In PDF document text
    • http://www.pangloss.com/seidel/MPoem/mass_poem.cgiIn PDF document text
    • http://www.unitedwaytri-county.org/files/uwdscatalog.xlsIn PDF document text
    • http://www.eustacemullins.us/works/In PDF document text
    • http://www.dailycrow.com/In PDF document text
    • http://buratto-map.net/spot.php?id=171In PDF document text
    • http://riverside-resort.net/1/zimsec-science-paper-2-june-2014.pdfIn PDF document text
    • http://riverside-resort.net/1/what-is-unresponsive-wakefulness.pdfIn PDF document text
    • http://uncpbisdegree.com/1/supermicro-p4spe-owners-manual.pdfIn PDF document text
    • http://uncpbisdegree.com/1/solutions-general-electric.pdfIn PDF document text
    • http://riverside-resort.net/1/when-your-spouse-dies-hope-healing.pdfIn PDF document text
    • http://uncpbisdegree.com/1/suzuki-140-outboard-service-manual.pdfIn PDF document text
    • http://uncpbisdegree.com/1/the-dangerous-book-for-boys-conn-iggulden.pdfIn PDF document text
    • http://riverside-resort.net/1/what-were-the-salem-witch-trials-what-was.pdfIn PDF document text
    • http://uncpbisdegree.com/1/term4-natural-science-grade-9-exam.pdfIn PDF document text
    • http://riverside-resort.net/1/why-is-it-so-hot.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://www.teacherspayteachers.com/Browse/Search:fundationsIn PDF document text
    • https://www.teacherspayteachers.com/Browse/Search:farmIn PDF document text
    • https://view.officeapps.live.com/op/view.aspx?src=http%3A%2F%2Fwww.bscsales.com%2Fdocuments%2FFY18Q2-AbilityOneData-BSCFinal.xlsxIn PDF document text
    • https://www.quora.com/How-should-I-start-learning-Python-1In PDF document text
    • https://www.informationweek.com/default.aspIn PDF document text
    • https://www.psychologytoday.com/us/blog/inside-the-box/201402/thinking-outside-the-box-misguided-ideaIn PDF document text
    • https://en.wikipedia.org/wiki/IOS_version_historyIn PDF document text
    • https://mail.google.com/mail/u/0/In PDF document text
    • https://view.officeapps.live.com/op/view.aspx?src=http%3A%2F%2Fwww.unitedwaytri-county.org%2Ffiles%2Fuwdscatalog.xlsIn PDF document text
    • http://music.163.com/In PDF document text
    • http://www.microsofttranslator.com/bv.aspx?ref=SERP&br=ro&mkt=en-US&dl=en&lp=ZH-CHS_EN&a=http%3a%2f%2fmusic.163.com%2fIn PDF document text
    • http://translate.google.hu/In PDF document text
    • http://www.microsofttranslator.com/bv.aspx?ref=SERP&br=ro&mkt=en-US&dl=en&lp=JA_EN&a=http%3a%2f%2fburatto-map.net%2fspot.php%3fid%3d171In PDF document text
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409In PDF document text
    +4 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000568e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x568E 10244 bytes
SHA-256: 83f6fa906fb07262d59dc18936a89fd43c6d2fedc97a1f9935063b8ddb0923e7
font_01_sfnt_off00007746.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7746 6904 bytes
SHA-256: 64ee4c6586dd0945218667147f952b1551cfc4ad4e87aea2a0d6b8eaa68203f2

Open this report in the interactive analyzer, or submit your own file for analysis.