Malicious PDF — malware analysis report

Static analysis result for SHA-256 ea6490c2bced6681…

MALICIOUS

PDF

37.3 KB Created: 2018-06-11 09:46:58 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7) First seen: 2020-09-24
MD5: 635e0feecd68dba3c00a405f2daaf51d SHA-1: c5045b665dad1c12cc688f0d9fb04cd938960035 SHA-256: ea6490c2bced668111402dcbb39f701f7d8f38fb673d1c48a5a5205d95171d34
130 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.8604

Heuristics 4

  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARM
    PDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=the-practice-of-statistics-4th-edition.pdf In PDF document text
    • http://uncpbisdegree.com/download4.php?q=the-practice-of-statistics-4th-edition.pdfIn PDF document text
    • http://www.slader.com/textbook/9781429245593-the-practice-of-statistics-for-ap-4th-edition/In PDF document text
    • http://www.wowebook.org/In PDF document text
    • http://www.slader.com/textbook/9780131362215-blitzer-precalculus-4th-edition/In PDF document text
    • https://www.windpowerbigdata.com/In PDF document text
    • https://www.internet4classrooms.com/skills_4th_science.htmIn PDF document text
    • http://www.academia.dk/BiologiskAntropologi/Epidemiologi/PDF/Introductory_Statistics_with_R__2nd_ed.pdfIn PDF document text
    • http://www.thetickhillsurgery.co.uk/In PDF document text
    • http://www.mrsrenz.net/forstudents/langartslinks.htmIn PDF document text
    • https://www.spellingcity.com/homophones-and-homonyms.htmlIn PDF document text
    • https://andrewmilivojevich.com/range-statistics/In PDF document text
    • http://riverside-resort.net/1/the-scarlet-ibis-settings-answers.pdfIn PDF document text
    • http://riverside-resort.net/1/sheds-david-stiles.pdfIn PDF document text
    • http://riverside-resort.net/1/the-n-word-who-can-say-it-shouldnt-and-why-jabari-asim.pdfIn PDF document text
    • http://riverside-resort.net/1/superconductivity-in-ternary-compounds-ii-superconductivity-and-magnetism.pdfIn PDF document text
    • http://riverside-resort.net/1/tempted-dark-protectors-25-rebecca-zanetti.pdfIn PDF document text
    • http://riverside-resort.net/1/the-twisted-skeins-of-a-family-tapestry.pdfIn PDF document text
    • http://riverside-resort.net/1/then-again.pdfIn PDF document text
    • http://riverside-resort.net/1/smartfone-movil-n100-manual.pdfIn PDF document text
    • http://riverside-resort.net/1/the-observation-and-analysis-of-stellar-photospheres.pdfIn PDF document text
    • http://riverside-resort.net/1/show-2018-november-question-paper-for-grade11.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.chegg.com/homework-help/the-practice-of-statistics-4th-edition-solutions-9781429245593In PDF document text
    • https://www.wiley.com/en-us/The+Heart+of+Mathematics%3A+An+Invitation+to+Effective+Thinking%2C+4th+Edition-p-9781118156599In PDF document text
    • https://www.wiley.com/en-usIn PDF document text
    • https://www.wiley.com/en-us/Subjects-c-subjectsIn PDF document text
    • https://www.wiley.com/en-us/Mathematics+%26+Statistics-c-MA00In PDF document text
    • https://www.amazon.com/Programming-Principles-Practice-Using-2nd/dp/0321992784In PDF document text
    • https://www.amazon.com/Computers-Technology-Books/b?ie=UTF8&node=5In PDF document text
    • https://www.amazon.com/Languages-Tools-Programming-Books/b?ie=UTF8&node=3952In PDF document text
    • http://www.academia.edu/31003871/Data_Communications_and_Networking_4th_Edition_Behrouz_A._Forouzan.pdfIn PDF document text
    • http://www.dot.ga.gov/PartnerSmart/DesignManuals/PolicyAnnouncements/RDG-CotaIn PDF document text
    • http://www.jblearning.com/catalog/9781284078985/In PDF document text
    • http://www.jblearning.com/nursing/gerontology/In PDF document text
    • http://www.jblearning.com/catalog/9781284043259/In PDF document text
    • http://www.jblearning.com/healthcare/managedcare/In PDF document text
    • https://www.psychiatry.org/psychiatrists/practice/dsmIn PDF document text
    • http://webassign.net/In PDF document text
    • http://www.who.int/reproductivehealth/publications/en/In PDF document text
    • http://www.who.int/entity/reproductivehealth/en/In PDF document text
    • http://www.who.int/entity/reproductivehealth/publications/en/In PDF document text
    • http://forgottenrealms.wikia.com/wiki/GenasiIn PDF document text
    • https://www.khanacademy.org/In PDF document text
    • https://www.amazon.com/Linear-Algebra-Its-Applications-5th/dp/032198238XIn PDF document text
    • https://www.amazon.com/books-used-books-textbooks/b?ie=UTF8&node=283155In PDF document text
    • https://www.amazon.com/Science-Math-Books/b?ie=UTF8&node=75In PDF document text
    • https://www.amazon.com/Mathematics-Science-Books/b?ie=UTF8&node=13884In PDF document text
    • https://study.com/academy/lesson/bullying-school-shootings-statistics-facts.htmlIn PDF document text
    +8 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005616.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5616 10364 bytes
SHA-256: 371b92c8d999050170014e61ac7d42e9d8b508f8d403d1c6789694a01d40ba1e
font_01_sfnt_off00007711.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7711 6712 bytes
SHA-256: 3804672878d05e0862e16b5f2ffa053076be399ae0c7b9013ee2af8970f7377a

Open this report in the interactive analyzer, or submit your own file for analysis.