PDF malware analysis — malicious · e9070981e002cec2

MALICIOUS

PDF

63.4 KB Created: 2018-06-11 09:29:39 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7)

MD5: d309ffe27e5dd3edfd1cfb6e7e26d360 SHA-1: 5e77019a8e46a8954ddcd767f730b474b19b8b15 SHA-256: e9070981e002cec24394903e06feea51b856e6e7739a641da0b9868d70a8d1ab

70 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious Link T1204.002 Malicious Link: Malicious File

The file is identified as a PDF dropper by ClamAV. It contains embedded URLs that are likely used to trick users into downloading further malicious content, disguised as a book titled 'the cloud collector a thriller'. The presence of a visual download button heuristic further supports this lure-based attack pattern. The primary malicious URLs identified are http://uncpbisdegree.com/download3.php?q=the-cloud-collector-a-thriller.pdf and http://uncpbisdegree.com/download4.php?q=the-cloud-collector-a-thriller.pdf.

Heuristics 4

ClamAV: Pdf.Dropper.Agent-9263916-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-9263916-0
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://uncpbisdegree.com/download3.php?q=the-cloud-collector-a-thriller.pdf
- http://uncpbisdegree.com/download4.php?q=the-cloud-collector-a-thriller.pdf
- http://habnix.de/the/cloud/the_cloud_collector_a_thriller.pdf
- http://makingcentsoutoflife.com/pdf-reader/the-cloud-collector-a-thriller.pdf
- http://www.ecasazone.com/the-cloud-collector-a-thriller.pdf
- http://riverside-resort.net/1/sony-d-sj301-cd-players-owners-manual.pdf
- http://riverside-resort.net/1/the-invisible-masterpiece.pdf
- http://riverside-resort.net/1/texas-and-texans-activity-workbook-answers.pdf
- http://riverside-resort.net/1/straighterline-exam-answer.pdf
- http://riverside-resort.net/1/the-accidental-bride-summer-island-2-christina-skye.pdf
- http://riverside-resort.net/1/survey-of-operating-systems-answers.pdf
- http://riverside-resort.net/1/the-railway-pocket-bible-pocket-bibles.pdf
- http://riverside-resort.net/1/the-hinge-factor-how-chance-and-stupidity-have-changed-history-erik-durschmied.pdf
- http://riverside-resort.net/1/style-freedom-meter-manual.pdf
- http://riverside-resort.net/1/sunu-sunu-snail-storm-in-the-garden-sunusunu-nattha-thotalo-toofanu.pdf
- https://www.amazon.com/Cloud-Collector-Thriller-Brian-Freemantle/dp/1250066239
- https://www.amazon.com/Thrillers-Mystery-Books/b?ie=UTF8&node=10484
- https://www.amazon.com/Cloud-Collector-Thriller-Brian-Freemantle-ebook/dp/B00PP63QBO
- https://www.barnesandnoble.com/w/the-cloud-collector-brian-freemantle/1120204962
- https://play.google.com/store/books/details/The_Cloud_Collector_A_Thriller?id=5i9sBQAAQBAJ
- https://54109426.r.bat.bing.com/?ld=d3BmX4Qta_uJawNaBRBWJiYDVUCUzEkJs4IDbKUj32c3w_TRf7HX1pASO823KCpTgg-3zYYdRmRgyeHXHG7bNRsJvQGCtoAZ1sxHWBzHbWOdQ-UnKq35CGINHS2Fgn6SJjQ3s7IEFR-O6VV6pd-5kTo9tx6XjOZaHRJnZeTgb8M3a6igTe&u=http%3a%2f%2fwww.amazon.com%2fs%2f%3fie%3dUTF8%26keywords%3dthe%2bcloud%2bcollector%26tag%3dmh0b-20%26index%3dstripbooks%26hvadid%3d77790473296089%26hvqmt%3dp%26hvbmt%3dbp%26hvdev%3dc%26ref%3dpd_sl_4tugca4fhr_p
- https://54109426.r.bat.bing.com/?ld=d3BJ6GScJEbrgAgmTlNcZMQTVUCUzqWN90iSgwq6f8FasqYLhnYyU0Z3nRpJrIvwireF94RNc0t-7Neu4PjboeRHEBMzETgF2JurKoz03re9bxudG2gbccK8NS4dswu9L-JLutPWkt0yB0lYZ_x2jFg7yZLCHgUSQ5bsLhfmWTg07zRZa4&u=https%3a%2f%2fwww.amazon.com%2fprime%3fref%3dpd_sl_2x6k44cdke_e%26tag%3dmh0b-20
- https://54109426.r.bat.bing.com/?ld=d3_TYC9lY26uPofbYjR4-bCjVUCUykH7nD1Gg_pvVNpXh1T7SKafhK2R63j46Xr8wVD89gwfKmXHNL8gUhtsfOE_F0hckoYfJwf4gxf6xv3AUKnlTKNqere_6q5UNM4mXqAzhyqcglJTwX9CNhlq5Z6NuH-Gw3jiZcCFrLxT233SvVMdPN&u=https%3a%2f%2fwww.amazon.com%2fsmart-home%2fb%2f%3fnode%3d6563140011%26ref%3dpd_sl_3vx4two44d_e%26tag%3dmh0b-20
- https://54109426.r.bat.bing.com/?ld=d3c38hw9tko0oZvgpHAmRY6DVUCUwmmMGTk9A7pIhY65isZMNMHlrPZMf1cYMf7GHd4buRHNpyC-Y9Y7MTfHBfJ_3ymkBASYm0KQowQzrjNRBzBwnhOCg-LTwAMDKUsVehbW8Aa3cYZKJ1E35rt9ForX-wU0Tc7HPGVeIer5STApZfTxdu&u=https%3a%2f%2fwww.amazon.com%2fmeet-alexa%2fb%2f%3fnode%3d16067214011%26ref%3dpd_sl_4ty6me0vqj_e%26tag%3dmh0b-20
- http://go.microsoft.com/fwlink/?LinkID=617350
- https://read.amazon.com/kp/embed?asin=B00PP63QBO&tag=bing08-20&linkCode=kpp
- https://www.goodreads.com/book/show/23014753-the-cloud-collector
- https://www.amazon.com/product-reviews/1250066239
- https://www.barnesandnoble.com/w/the-cloud-collector-brian-freemantle/1120204962?ean=9781250066237
- http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409
- http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409
- https://go.microsoft.com/fwlink/?linkid=868922
- http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409
- http://go.microsoft.com/fwlink/?LinkID=617297
- https://54109426.r.bat.bing.com/?ld=d3BmX4Qta_uJawNaBRBWJiYDVUCUzEkJs4IDbKUj32c3w_TRf7HX1pASO823KCpTgg-3zYYdRmRgyeHXHG7bNRsJvQGCtoAZ1sxHWBzHbWOdQ-UnKq35CGINHS2Fgn6SJjQ3s7IEFR-O6VV6pd-5kTo9tx6XjOZaHRJnZeTgb8M3a6igTe&u=http%3a%2f%2fwww.amazon.com%2fs%2f%3fie%3dUTF8%26keywords%3dthe%2bcloud%2bcollector%26tag%3dmh0b-20%26index%3dstripbooks%26hvad

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000a9e1.bin` `edc2335eaf9d2b9b3fd0b44518be4aa57286e4e3aa3e3ab43fa8db4a340232d9`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA9E1	13768 bytes
`font_01_sfnt_off0000d498.bin` `9cbc98039d5f983a54d4a69fdc86d3e661098bef307e4b839373256cb1f03f1f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD498	9420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.