Malicious PDF — malware analysis report

Static analysis result for SHA-256 e6fd4fd259e6e6ae…

MALICIOUS

PDF

48.6 KB Created: 2018-06-11 08:09:26 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7) First seen: 2020-09-24
MD5: 44511acc59f440ef238c559b9a74698a SHA-1: e1bb0697929b908fa5706fbe12ee75ec3382a28c SHA-256: e6fd4fd259e6e6aebcf099e85ae80e6c5334c0b6ec3062935825b306fde4fc82
130 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.8931

Heuristics 4

  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARM
    PDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=women-apos-s-roles-in-nineteenth-century-america-women.pdf In PDF document text
    • http://uncpbisdegree.com/download4.php?q=women-apos-s-roles-in-nineteenth-century-america-women.pdfIn PDF document text
    • http://elpida.de/women/apos/women_apos_s_roles_in_nineteenth_century_america_women_.pdfIn PDF document text
    • http://bjerld.de/women/apos/women_apos_s_roles_in_nineteenth_century_america_women.pdfIn PDF document text
    • http://kaphir.de/women/apos/women_apos_s_roles_in_nineteenth_century_america_women.pdfIn PDF document text
    • https://www.mattbrundage.com/publications/women-19th-century/In PDF document text
    • http://www.connerprairie.org/education-research/indiana-history-1860-1900/lives-of-womenIn PDF document text
    • http://www2.ivcc.edu/gen2002/Women_in_the_Nineteenth_Century.htmIn PDF document text
    • http://www.aglaun.org/archives/spring-2015/prose-and-poetry/the-role-of-women-in-the-19th-and-20th-centuries-by-pamela-balanza/In PDF document text
    • http://uncpbisdegree.com/1/shotoku-ethnicity-ritual-and-violence-in-the-japanese-buddhist-tradition.pdfIn PDF document text
    • http://uncpbisdegree.com/1/seven-pleasures-essays-on-ordinary-happiness-willard-spiegelman.pdfIn PDF document text
    • http://uncpbisdegree.com/1/thank-you-card-designs-for-teachers.pdfIn PDF document text
    • http://riverside-resort.net/1/what-is-personal-accident.pdfIn PDF document text
    • http://riverside-resort.net/1/user-guide-2007-2011-toyota-camry-service-repair-manual.pdfIn PDF document text
    • http://uncpbisdegree.com/1/the-anglo-american-times.pdfIn PDF document text
    • http://uncpbisdegree.com/1/service-manual-150cc-engine-family-go-karts.pdfIn PDF document text
    • http://riverside-resort.net/1/withholding-evidence-evidence-series-book-3.pdfIn PDF document text
    • http://riverside-resort.net/1/zombie-cafe-cafe-design.pdfIn PDF document text
    • http://riverside-resort.net/1/wiring-diagram-12-volt-brake-light.pdfIn PDF document text
    • https://www.mattbrundage.com/publications/women-19th-centuryIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://socialwelfare.library.vcu.edu/woman-suffrage/women-in-nineteenth-century-america-2/In PDF document text
    • https://www.amazon.com/Womens-Nineteenth-Century-America-through-History/dp/0313335478In PDF document text
    • https://www.amazon.com/New-Used-Textbooks-Books/b?ie=UTF8&node=465600In PDF document text
    • https://www.amazon.com/Humanities-New-Used-Textbooks-Books/b?ie=UTF8&node=468206In PDF document text
    • https://study.com/academy/lesson/feminism-in-the-19th-century-womens-rights-roles-and-limits.htmlIn PDF document text
    • https://www.bl.uk/romantics-and-victorians/articles/gender-roles-in-the-19th-centuryIn PDF document text
    • https://books.google.com/books/about/Women_s_Roles_in_Nineteenth_century_Amer.html?id=ka3tPEGVLqICIn PDF document text
    • https://www.google.com/search?tbo=p&tbm=bks&q=subjectIn PDF document text
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409In PDF document text
    • https://go.microsoft.com/fwlink/?linkid=868922In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=617297In PDF document text
    • https://socialwelfare.library.vcu.edu/woman-suffrage/women-inIn PDF document text
    • https://study.com/academy/lesson/feminism-in-the-19th-centuryIn PDF document text
    • https://www.bl.uk/.../articles/gender-roles-in-the-19th-centuryIn PDF document text
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000714b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x714B 14876 bytes
SHA-256: 659e028578ddef07207897195681b1b9dd2a85e7e0d0fc053e3d46f1845771ce
font_01_sfnt_off00009eaa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9EAA 8780 bytes
SHA-256: fb46e3112c54b07a04a3fa9a663c65360e84d70740c20dc002ce0d7082b9fc97