Malicious PDF — malware analysis report

Static analysis result for SHA-256 d2cb2c5f5910c431…

MALICIOUS

PDF

37.2 KB Created: 2018-06-11 08:45:53 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7)
MD5: 6af1b3b7e5e135b346b0d4b75f0d2ce9 SHA-1: 3f2e794dd086e2df74a7e1e4e70f47c261063db4 SHA-256: d2cb2c5f5910c431e1701507a54f86d537ba170fe007cd1fcaf57b833b11500e
70 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The file is identified as a PDF dropper by ClamAV. The document body contains multiple URLs that mimic academic or financial resources, specifically test banks and solution manuals, which is a common lure for phishing or malware distribution. The presence of a download button heuristic further supports this. The primary malicious URL, http://uncpbisdegree.com/download3.php?q=test-bank-solution-manual-collection.pdf, is likely used to serve the secondary payload.

Heuristics 4

  • ClamAV: Pdf.Dropper.Agent-9209303-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-9209303-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=test-bank-solution-manual-collection.pdf
    • http://uncpbisdegree.com/download4.php?q=test-bank-solution-manual-collection.pdf
    • http://www.fullmarkteam.com/
    • https://www.testbankteam.com/product/economics-9th-edition-colander-test-bank/
    • https://www.testbankteam.com/product/developing-human-service-leaders-1st-edition-harley-mcclaskey-test-bank/
    • https://testbankarea.com/download/corporate-finance-11th-edition-solutions-manual-ross-westerfield-jaffe-jordan/
    • https://testbankarea.com/downloads/all/
    • https://testbankarea.com/downloads/finance/
    • http://www.megalawbooks.com/ziemer-solution-manual.pdf
    • https://www.remote-associates-test.com/
    • http://www.sbcl.org/manual/
    • http://www.martindalecenter.com/Reference_3_LabP.html
    • http://mortgage-home-loan-bank-fraud.com/manual.htm
    • http://btptek.com/
    • http://www.afaindia.com/studio_test
    • https://www.bankofbaroda.co.in/career-detail.htm
    • http://www.softwareqatest.com/qatweb1.html
    • https://www.nclive.org/browse
    • http://www.ablinfo.org/john/john_deere_1070d_manual.pdf
    • http://www.randomterrain.com/atari-2600-memories-batari-basic-commands.html
    • http://redrumcabo.com/forums/forum/redrum-shareboard/
    • http://www.bibme.org/
    • http://qaquestions.net/
    • http://uncpbisdegree.com/1/suzuki-lt50-workshop-manual.pdf
    • http://riverside-resort.net/1/water-potential-problems-with-answers.pdf
    • http://uncpbisdegree.com/1/spbea-past-exam-papers-2011.pdf
    • http://uncpbisdegree.com/1/the-boeing-737-technical-guide-book-download.pdf
    • http://riverside-resort.net/1/x-men-longshot-x-men-marvel-paperback.pdf
    • http://riverside-resort.net/1/uniformitarianism-in-linguistics.pdf
    • http://uncpbisdegree.com/1/sterling-truck-fuse-diagram.pdf
    • http://uncpbisdegree.com/1/solution-manual-magnetic-field-loop.pdf
    • http://uncpbisdegree.com/1/television-entertainment.pdf
    • http://riverside-resort.net/1/webxam-84mc-interactive-media-answers.pdf
    • https://en.wikipedia.org/wiki/Blood_bank
    • http://www.oregon.gov/treasury/Divisions/Finance/StateAgencies/Pages/Cash-Management-Manual.aspx
    • http://www.oregon.gov/treasury/Divisions/Finance/StateAgencies/Pages/default.aspx
    • http://www.apastyle.org/
    • https://www.c-sharpcorner.com/UploadFile/51e7af/basics-of-manual-testing/
    • https://www.manualslib.com/manual/283660/Intermec-Easycoder-3400e.html
    • https://www.manualslib.com/brand/intermec/printer.html
    • https://www.manualslib.com/products/Intermec-Easycoder-3400e-2395725.html
    • https://docsv2.dwolla.com/
    • https://www.astm.org/FormStyle_for_ASTM_STDS.html
    • http://php.net/manual/en/function.array-multisort.php
    • https://www.tcs.com/content/dam/tcs/pdf/Industries/Banking
    • https://www.manualslib.com/manual/941248/Silverton-45-Convertible.html
    • https://www.manualslib.com/brand/silverton/
    • https://www.manualslib.com/brand/silverton/boat.html
    • https://www.manualslib.com/products/Silverton-45-Convertible-3823419.html
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409
    +4 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000545e.bin
dd6a1d8f0d8822c38e07259167de9f47dae62a675203b7ecfdef2ef9b7eeac2e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x545E 10432 bytes
font_01_sfnt_off000075aa.bin
4a5e72b6110eb0ff5af6c857c62fb4e2f972cabcc0535c9f649b1dcf940fc15e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x75AA 7068 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.