Malicious PDF — malware analysis report

Static analysis result for SHA-256 f51242fa35623e11…

MALICIOUS

PDF

32.4 KB Created: 2018-06-11 08:16:28 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7)
MD5: dc75b92493baf02f2df081c1435da7fe SHA-1: f9d57b3944fe2c348fd6418485fbeb6613ed3001 SHA-256: f51242fa35623e1142544f3753b31900d71b8ed9c56cbecd7c7d5a6e82bfd6d8
142 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link T1059.007 JavaScript

This PDF file is classified as malicious due to its use of SEO poisoning to lure users into downloading a fake file. It contains links to suspicious domains such as 'uncpbisdegree.com' which are likely intended to host or redirect to malware. The presence of a visual download button further supports the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9123

Heuristics 5

  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=the-romantic-rebels.pdf
    • http://uncpbisdegree.com/download4.php?q=the-romantic-rebels.pdf
    • https://etcanada.com/photos/321048/royal-rebels-how-harry-and-meghan-have-broken-with-tradition/
    • http://www.123helpme.com/search.asp?text=romantic+period
    • http://www.rebelsmarket.com/s/goth-16
    • http://www.rebelsmarket.com/alternative-fashion-styles
    • http://disneyworld.disneyfloralandgifts.com/product/awishcometruetwodayromanticexperience.do
    • https://foxhugh.com/spanish/100-spanish-loveromantic-phrases/
    • http://www.justromanticsuspense.com/p/book-blurbs.html
    • http://uncpbisdegree.com/1/the-dude-and-the-zen-master.pdf
    • http://uncpbisdegree.com/1/skoll-scholarship.pdf
    • http://riverside-resort.net/1/up-the-agency.pdf
    • http://uncpbisdegree.com/1/siddhartha-study-guide-question-answers.pdf
    • http://riverside-resort.net/1/white-model-1505-manual.pdf
    • http://uncpbisdegree.com/1/sharp-r654-microwave-manual.pdf
    • http://uncpbisdegree.com/1/sound-storm-subwoofer-owners-manual.pdf
    • http://riverside-resort.net/1/vw-t4-service-manual.pdf
    • http://uncpbisdegree.com/1/the-garden-of-priapus-sexuality-and-aggression-in-roman-humor.pdf
    • http://uncpbisdegree.com/1/selective-bibliography-on-the-conservation-of-research-library-materials.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://www.allmusic.com/album/soul-rebels-mw0000081864
    • http://www.slashfilm.com/star-wars-rebels-finale/
    • http://starwars.wikia.com/wiki/Star_Wars_Rebels:_Heroes_of_Mandalore
    • http://www.slashfilm.com/star-wars-rebels-series-finale-spoiler-review/
    • http://tvtropes.org/pmwiki/pmwiki.php/Main/RebelLeader
    • https://www.economist.com/news/books-and-arts/21576067-why-1979-was-about-so-much-more-margaret-thatchers-election-victory-when-world
    • http://starwars.wikia.com/wiki/Kanan_Jarrus
    • http://www.dailymail.co.uk/news/article-5174875/Tory-rebels-accuse-Government-deaf.html
    • http://www.dailymail.co.uk/news/article-5381693/Duterte-tells-troops-shoot-female-rebels-vagina.html
    • https://www.vogue.com/article/best-romantic-comedies-of-all-time
    • http://www.historynet.com/civil-war-soldiers
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409
    • https://go.microsoft.com/fwlink/?linkid=868922
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409
    • http://go.microsoft.com/fwlink/?LinkID=617297
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004371.bin
8bc107b095b5afe6ab4523555fca8c8511fada13f786649501ceaa0d6973d033		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4371 10600 bytes
font_01_sfnt_off0000650e.bin
38345162184ce9267c75e8c9d2d941807bea74f0046c954372bcfb97d05be481		 pdf-font-stream PDF embedded font (sfnt) at offset 0x650E 6836 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.