Malicious PDF — malware analysis report

Static analysis result for SHA-256 f41c5da95ff5060e…

MALICIOUS

PDF

29.1 KB Created: 2018-06-11 10:01:02 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7) First seen: 2020-09-24
MD5: 99e7a1bc0bdde6ce708071ee089fe117 SHA-1: a1454791c45bfc476f7eef792a6c03f4c0d2265f SHA-256: f41c5da95ff5060e95ef25dea72717e6b4bf0f655668fcef9c1a022a5e085218
130 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF contains an external URI pointing to a suspicious download URL, and a machine learning classifier flagged it as malicious. The document body includes text related to the download URL, suggesting a lure to download a file. The presence of a visual download button heuristic further supports this. No scripts were extracted, limiting the ability to determine the exact payload delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9665

Heuristics 4

  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARM
    PDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=the-seven-cs-of-positive-behaviour-management-alphabet-sevens.pdf In PDF document text
    • http://uncpbisdegree.com/download4.php?q=the-seven-cs-of-positive-behaviour-management-alphabet-sevens.pdfIn PDF document text
    • http://www.pageinsider.com/In PDF document text
    • http://www.ideadiez.com/In PDF document text
    • http://unifeob.edu.br/miniblog/henry-steiner-cabins-masters-thesisIn PDF document text
    • http://uncpbisdegree.com/1/simplifying-radicals-kuta-software-answers.pdfIn PDF document text
    • http://riverside-resort.net/1/writing-english-language-tests-longman-handbooks-for-teachers-jb-heaton.pdfIn PDF document text
    • http://riverside-resort.net/1/worksheet-08-02-combined-gas-law.pdfIn PDF document text
    • http://riverside-resort.net/1/wiring-diagram-for-motorcycle-turn-signals.pdfIn PDF document text
    • http://riverside-resort.net/1/west-bengal-joint-entrance-examination-board-contact-number.pdfIn PDF document text
    • http://riverside-resort.net/1/window-switch-wiring-diagram-of-golf2.pdfIn PDF document text
    • http://uncpbisdegree.com/1/the-fat-woman-apos-s-joke.pdfIn PDF document text
    • http://riverside-resort.net/1/workbook-excel-meaning.pdfIn PDF document text
    • http://riverside-resort.net/1/volume-trip-generation-manual-8th-edition.pdfIn PDF document text
    • http://riverside-resort.net/1/united-kingdom-news.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://www.psychologytoday.com/us/blog/inside-the-box/201402/thinking-outside-the-box-misguided-ideaIn PDF document text
    • https://en.wikipedia.org/wiki/Special:SearchIn PDF document text
    • http://music.163.com/In PDF document text
    • http://www.microsofttranslator.com/bv.aspx?ref=SERP&br=ro&mkt=en-US&dl=en&lp=ZH-CHS_EN&a=http%3a%2f%2fmusic.163.com%2fIn PDF document text
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409In PDF document text
    • https://go.microsoft.com/fwlink/?linkid=868922In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=617297In PDF document text
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000038a8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x38A8 9796 bytes
SHA-256: c2b0ac04886fdafd3e02f6152e314a967ae74e349cf4134718f0eabd5173f730
font_01_sfnt_off000057f3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x57F3 7320 bytes
SHA-256: 029dee8525e61de3f926424a963b317c340790a065bf690f42f0d4c091f5e632

Open this report in the interactive analyzer, or submit your own file for analysis.