Malicious PDF — malware analysis report

Static analysis result for SHA-256 d5d30c7b01c4766c…

MALICIOUS

PDF

35.7 KB Created: 2018-06-11 08:14:06 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7)
MD5: 80d7bceb01ab407304163165f3fae420 SHA-1: 98713c71c146c14922a5ef965bb20d594bcc6530 SHA-256: d5d30c7b01c4766c21559c22b6a82d9bde8ff3877ca3caf191a29398f58c653b
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains embedded URLs and text that mimic search engine results, specifically for 'solutions manual electric machines'. The critical heuristic 'PDF_SEO_FAKE_DOWNLOAD' indicates this is a fake download lure, directing users to 'http://uncpbisdegree.com/download3.php?q=solutions-manual-electric-machines.pdf'. This pattern suggests the document is designed to trick users into downloading a malicious payload disguised as a legitimate file, likely via a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9945

Heuristics 4

  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=solutions-manual-electric-machines.pdf
    • http://uncpbisdegree.com/download4.php?q=solutions-manual-electric-machines.pdf
    • http://www.syneoco.com/solutions/
    • http://lifttrucks.ringpower.com/new-forklifts/pallet-movers.aspx
    • http://hercules.com.au/
    • http://www.thimonnier.com/procede/manual-sealing-machines/6/
    • http://www.cleaningequipmentparts.com/customer/cleqpa/customerpages/pdfmanuals/eaglepropanes.pdf
    • http://www.advance-us.com/products/floormachinesandburnishers.aspx
    • https://www.hoistandwinch.co.uk/
    • http://www.onyxsolutions.com/images/downloads/Safety-Manual-for-Propane-Powered-Floor-Care-Equipment.pdf
    • http://www.optimumgroup.com.au/
    • http://www.doorking.com/
    • http://vselectric.com/
    • http://www.yardmachines.com/
    • http://www.zorinmaterial.com/
    • https://www.machine-solution.com/
    • http://www.blmgroup.com/en/tube-bending
    • https://www.ridgid.com/us/en/manual-threading
    • https://www.ridgid.com/us/en/threading-pipe-fabrication
    • https://www.ridgid.com/us/en/pipe-threading
    • https://www.fujielectric.com/products/semiconductor/
    • http://www.smithmfg.com/FS150electric.php
    • http://www.autobag.com/baggers/autobag-pacesetter-bagging-machines
    • https://chefschoice.com/product/chefschoice-international-professional-varitilt-electric-food-slicer-model-645/
    • https://chefschoice.com/product-category/food-slicers/
    • http://www.mastermover.com/
    • http://uncpbisdegree.com/1/the-doctor-who-fan-massacre-a-short-story-for-charity.pdf
    • http://riverside-resort.net/1/uwi-mona-graduate-application-form.pdf
    • http://uncpbisdegree.com/1/teenage-sexuality-health-risk-and-education-1st-edition.pdf
    • http://riverside-resort.net/1/wiley-homework-solutions.pdf
    • http://uncpbisdegree.com/1/sources-for-praxis-2-music-content-knowledge-study-guide.pdf
    • http://uncpbisdegree.com/1/tabasco-una-historia-compartida.pdf
    • http://uncpbisdegree.com/1/the-final-summit-a-quest-to-find-one-principle-that-will-save-humanity-andy-andrews.pdf
    • http://riverside-resort.net/1/xv-orszagos-kermia-beinnale-pecs-1998.pdf
    • http://uncpbisdegree.com/1/the-christmas-book.pdf
    • http://uncpbisdegree.com/1/suzuki-rm-1988.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://us.mitsubishielectric.com/fa/en/solutions/industries/industrial-sewing-equipment/programmable-sewing-machines
    • https://www.schneider-electric.com/en/work/products/automation-and-control.jsp
    • https://www.danfoss.com/en/about-danfoss/our-businesses/power-solutions/
    • https://www.hsn.com/shop/knife-sharpeners/qc0137
    • https://www.industry.usa.siemens.com/drives/us/en/electric-motor/pages/electric-motor.aspx
    • http://lincolnelectric.com/en-us/equipment/plasma-cutters/Pages/plasma-cutters.aspx
    • http://lincolnelectric.com/en-us/Pages/default.aspx
    • http://lincolnelectric.com/en-us/equipment/Pages/welding-cutting-equipment.aspx
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409
    • https://go.microsoft.com/fwlink/?linkid=868922
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409
    +2 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005067.bin
3cc9400eb0309545f8a99b2358c7496afa0c77c1ad67c36a4857b2191f08a8fe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5067 10268 bytes
font_01_sfnt_off0000710a.bin
9ee87c6a529d26a4a3af2010873101b236eb76a81292166316d720500cb5557b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x710A 6768 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.