Malicious PDF — malware analysis report

Static analysis result for SHA-256 e8cb3b9e67c6c79f…

MALICIOUS

PDF

58.5 KB Created: 2018-06-11 08:47:31 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7)
MD5: c7136c4c658f0ed0c7650182ecb173c2 SHA-1: d0dbbcd7c647c4229fff240ef059c9969a2ffb2e SHA-256: e8cb3b9e67c6c79fda7e8b465476f32f963b6c79717f10cafa8fc904452f0d1c
70 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell

The file was detected by ClamAV as Pdf.Dropper.Agent-9106995-0, indicating it functions as a dropper. The presence of external URIs and a visual download button lure suggests a social engineering tactic to trick the user into downloading a secondary payload. The document body contains multiple URLs pointing to potential download locations, reinforcing the dropper functionality.

Heuristics 4

  • ClamAV: Pdf.Dropper.Agent-9106995-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-9106995-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=sully-apos-s-topsy-tale.pdf
    • http://uncpbisdegree.com/download4.php?q=sully-apos-s-topsy-tale.pdf
    • http://bommerdesign.com/reads-online/sully-apos-s-topsy-tale.pdf
    • http://ksbsfa.de/sully/apos/sully_apos_s_topsy_tale.pdf
    • http://elikal.de/sullyaposs/topsy/sullyaposs_topsy_tale.pdf
    • http://www.mmmtraffic.com/reads-online/sully-apos-s-topsy-tale.pdf
    • http://desepo.de/sully/apos/sully_apos_s_topsy_tale.pdf
    • http://www.4downloadnew2015.com/reads-online/sully-apos-s-topsy-tale.pdf
    • http://churchwebtv.com/file/sully-apos-s-topsy-tale.pdf
    • http://managementinformationsystems.org/reads-online/sully-apos-s-topsy-tale.pdf
    • http://clinicaveterinariapoblado.com/file/sully-apos-s-topsy-tale.pdf
    • http://veirol.de/sullyaposs/topsy/sullyaposs_topsy_tale.pdf
    • http://ddodoct.com/file/sully-apos-s-topsy-tale.pdf
    • http://riverside-resort.net/1/zimsec-mathematics-green-book.pdf
    • http://uncpbisdegree.com/1/texas-staar-bubble-sheet.pdf
    • http://riverside-resort.net/1/vehicle-wrap-design-online.pdf
    • http://uncpbisdegree.com/1/summary-of-astra-castra-by-dotserfontein.pdf
    • http://uncpbisdegree.com/1/stage-free.pdf
    • http://uncpbisdegree.com/1/sleepless-in-bangkok-a-novel.pdf
    • http://riverside-resort.net/1/vectra-c-fuse-box-diagram.pdf
    • http://riverside-resort.net/1/when-did-texas-become-a-state.pdf
    • http://uncpbisdegree.com/1/structural-analysis-solutions-manual-8thsdocuments-com.pdf
    • http://uncpbisdegree.com/1/snap-on-user-manuals-mt-324.pdf
    • http://www.goodreads.com/work/editions/13385721-sully-s-topsy-tale
    • https://0.r.bat.bing.com/?ld=d3XwQZYLSuveFP6IaBEciDSDVUCUyMQ-hEuxh7WAEzMDKcyAQKV_T5nm3rk45pf6goVMXiDU5BBm_B3suSHrTdrGJ3KEActI2R2dgE6I5uUQucwTpXtofaguUIHkemA_lGhhO4Mur5ifbsDzgEXXaQoqkLJdVpHUHtizZ6inOX61Xn36Rg&u=http%3a%2f%2fwww.amazon.com%2fs%2f%3fie%3dUTF8%26keywords%3dtopsy%2btale%26tag%3dmh0b-20%26index%3daps%26hvadid%3d7004964289%26hvqmt%3dp%26hvbmt%3dbp%26hvdev%3dc%26ref%3dpd_sl_14gii9xb65_p
    • http://go.microsoft.com/fwlink/?LinkID=617350
    • https://www.amazon.com/product-reviews/1616330473
    • https://www.barnesandnoble.com/w/sullys-topsy-tale-donna-j-shepherd/1102088124?ean=9781616330477
    • https://www.amazon.com/gp/customer-reviews/R2ZBPGBZGH2O5K?ASIN=1616330473
    • http://www.amazon.com/Sullys-Topsy-Tale-Littlest-Angels/dp/1616330473
    • https://www.amazon.com/Sullys-Topsy-Tale-Littlest-Angels/dp/1616330473
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409
    • https://go.microsoft.com/fwlink/?linkid=868922
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409
    • http://go.microsoft.com/fwlink/?LinkID=617297
    • https://0.r.bat.bing.com/?ld=d3XwQZYLSuveFP6IaBEciDSDVUCUyMQ-hEuxh7WAEzMDKcyAQKV_T5nm3rk45pf6goVMXiDU5BBm_B3suSHrTdrGJ3KE

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009958.bin
7cfdd455b4597a666e747e41292e68e1395ff8da14e2d35c77bf6a3f18648b71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9958 14380 bytes
font_01_sfnt_off0000c576.bin
74b508440dd39372673e8b86244f169fda2628ba7ab9d6ebed7f0294fe991b61		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC576 7848 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.