Malicious PDF — malware analysis report

Static analysis result for SHA-256 f1b253a01e599308…

MALICIOUS

PDF

35.8 KB Created: 2018-06-11 09:32:41 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7)
MD5: 201571613b37881bdfdf3ecada42e84a SHA-1: 5f73697a54b2dd281fa6df3bea07a6ffd99327c5 SHA-256: f1b253a01e59930805c900e252ca7504f5319195211371db253385e4e0d9ec66
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

This PDF was flagged by a machine learning classifier and a specific heuristic for SEO poisoning and fake download lures. The document body and embedded URLs point to a deceptive download page designed to trick users into downloading a payload. The primary IOC is the domain associated with the fake download link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9062

Heuristics 4

  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=structural-engineer-calculations-online.pdf
    • http://uncpbisdegree.com/download4.php?q=structural-engineer-calculations-online.pdf
    • http://www.eengineersonline.com/images/Structural
    • http://www.diyhomeextension.co.uk/structural-calculations.html
    • http://www.mcbethstructural.co.uk/
    • http://www.sspc.org/
    • http://www.pkdconsultingengineers.co.uk/
    • http://www.discountplansltd.com/
    • http://www.engineersedge.com/
    • https://targetjobs.co.uk/careers-advice/job-descriptions/279117-structural-engineer-job-description
    • http://www.model-engineer.co.uk/forums/postings.asp?th=75370
    • http://nmdc.com/site/careers
    • https://www.barr.com/page/56/job-opportunities/
    • https://skyciv.com/free-truss-calculator/
    • http://www.engineernexus.com/
    • http://mycivil.engineer/steel-beam-design-fastest-method/
    • http://mycivil.engineer/category/subjects/
    • http://mycivil.engineer/category/subjects/structural-engineering-subjects/
    • https://snohomishcountywa.gov/2910/Structural-Requirements
    • https://snohomishcountywa.gov/2911/Required-Items
    • https://www.ae911truth.org/news/199-news-media-events-60-structural-engineers
    • http://www.structural-drafting-net-expert.com/civil-engineering-books-structural.html
    • http://www.civilprojectsonline.com/civil-projects/minimum-standards-for-structural-design-rcc-structures/
    • http://www.civilprojectsonline.com/category/civil-projects/
    • http://www.bgstructuralengineering.com/BGSCM13_Sample.pdf
    • http://www.nvelope.com/cladding-project-builder-static-thermal-calculations.html
    • https://www.browntechnical.org/
    • http://www.worldstainless.org/Files/issf/non-image-files/PDF/Euro_Inox/Recommend_EN.pdf
    • http://www.crackcad.com/
    • http://riverside-resort.net/1/writer-mama-how-to-raise-a-writing-career-alongside-your-kids-christina-katz.pdf
    • http://riverside-resort.net/1/uts-construction-management.pdf
    • http://uncpbisdegree.com/1/skema-cdi-motor-supra.pdf
    • http://riverside-resort.net/1/willem-de-kooning-a-way-of-living-20th-century-living-masters.pdf
    • http://uncpbisdegree.com/1/takara-belmont-repair-manuals.pdf
    • http://uncpbisdegree.com/1/solution-manuals-for-schaum-theoretical-physics.pdf
    • http://riverside-resort.net/1/ya-ar-ne-ya-ar-ne-ya-amaz.pdf
    • http://uncpbisdegree.com/1/the-animal-wisdom-tarot-book-and-cards-box-set.pdf
    • http://riverside-resort.net/1/yamaha-cp-70-service-manual.pdf
    • http://uncpbisdegree.com/1/steps-to-design-a-birthday-card.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://forums.moneysavingexpert.com/showthread.php?t=428865
    • https://forums.moneysavingexpert.com/index.php?s=5f8d2576372e855892e46af6d4778f3d
    • https://forums.moneysavingexpert.com/forumdisplay.php?s=5f8d2576372e855892e46af6d4778f3d&f=90
    • https://www.tekla.com/products/tekla-structural-designer
    • https://www.scribd.com/document/240661408/Guidance-for-European-Structural-Design-of-Glass-Components703795-Lbna26439enn
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409
    • https://go.microsoft.com/fwlink/?linkid=868922
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409
    +2 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005153.bin
790e41dabc6d8494de13c123a1e1eec80668eb4c5192a8978b58f4258a27f79e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5153 9820 bytes
font_01_sfnt_off000070cd.bin
83b115c89edfaee53ee87f03f29ccdab098122dd54640eb45bca415f47c98809		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70CD 7080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.