Malicious PDF — malware analysis report

Static analysis result for SHA-256 fa5b6187cd9b7adc…

MALICIOUS

PDF

36.0 KB Created: 2018-06-11 09:01:45 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7)
MD5: bfbe470d6a491e4e3cab684aa508e0f8 SHA-1: 75b3f390d246456bdc0a102344e0033a40ff4dd9 SHA-256: fa5b6187cd9b7adc939c1e5a0b9b64826525140563c9aa5b4c987a20dec86a6f
70 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains a heuristic indicating an external URI pointing to a download link, and the document body includes similar URLs. The presence of a 'download button' heuristic further supports the lure. ClamAV detection confirms the malicious nature. The primary attack vector appears to be a social engineering lure disguised as a study guide to trick users into downloading a malicious payload from the provided URLs.

Heuristics 4

  • ClamAV: Pdf.Malware.Agent-9793822-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Malware.Agent-9793822-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=study-guide-industrial-mechanic-millwright.pdf
    • http://uncpbisdegree.com/download4.php?q=study-guide-industrial-mechanic-millwright.pdf
    • http://www.itabc.ca/program/industrial-mechanic-millwright
    • https://www.conestogac.on.ca/fulltime/industrial-mechanic-millwright-apprenticeship
    • http://www.conestogac.on.ca/fulltime/mechanical-techniques-industrial-millwright
    • http://www.randstad.ca/
    • http://www.itabc.ca/sites/default/files/docs/manage/Exams/Exam
    • http://www.istc.net/?Section=Training&Courses=None
    • https://www.browntechnical.org/
    • http://www.dieselduck.info/machine/index.html
    • http://www.dieselduck.info/library/index.html
    • https://www.gprc.ab.ca/departments/upgrading/ged.html
    • https://www.vocationaltraininghq.com/vocational-training-programs-courses-list/
    • http://www.sait.ca/programs-and-courses?available=&offered=&credential=&term=&interest=&activeTab=&page=5
    • https://www.providentinsurance.co.uk/quote/
    • https://7eagle.com/search-openings/
    • http://www.etdpseta.org.za/education/sites/default/files/2017-07/OFO
    • https://www.esi-africa.com/a-guide-to-obtaining-a-wireman-s-license/
    • https://www.rrbrecruitment2018.co.in/
    • https://www.stlawrencecollege.ca/programs-and-courses/full-time/program-list/
    • http://correctionalserviceslearnership.com/bmw-learnership-programme/
    • http://correctionalserviceslearnership.com/category/learnerships/
    • http://riverside-resort.net/1/vision-and-art-the-biology-of-seeing.pdf
    • http://uncpbisdegree.com/1/statics-solutions-mariam-7th-edition-bing.pdf
    • http://uncpbisdegree.com/1/solutions-manual-south-western-taxation-2017.pdf
    • http://riverside-resort.net/1/vw-fox-wiring-diagram-cooling-fan.pdf
    • http://uncpbisdegree.com/1/the-informant.pdf
    • http://uncpbisdegree.com/1/semantics-john-i-saeed.pdf
    • http://uncpbisdegree.com/1/the-face-of-truth-a-study-of-meaning-and-metaphysics-in-the-vedantic-theology-of-ramanuja.pdf
    • http://uncpbisdegree.com/1/sweet-swan-of-avon-did-a-woman-write-shakespeare.pdf
    • http://uncpbisdegree.com/1/the-art-of-effective-fracture-fixation-with-rush-pins.pdf
    • http://uncpbisdegree.com/1/sport-for-development-and-peace-a-critical-sociology-1st-edition.pdf
    • https://www.kijiji.ca/b-ontario/millwright-exam/k0l9004
    • https://www.kijiji.ca/h-ontario/9004
    • https://www.payscale.com/research/CA/Job=Millwright/Hourly_Rate
    • https://www.payscale.com/research/CA/Country=Canada/Salary
    • https://www.payscale.com/index/CA/Job
    • https://www.bls.gov/soc/soc_2010_direct_match_title_file.xls
    • https://view.officeapps.live.com/op/view.aspx?src=https%3A%2F%2Fwww.bls.gov%2Fsoc%2Fsoc_2010_direct_match_title_file.xls
    • https://collegesearch.mo.gov/
    • https://www.tru.ca/programs.html
    • https://view.officeapps.live.com/op/view.aspx?src=http%3A%2F%2Fwww.etdpseta.org.za%2Feducation%2Fsites%2Fdefault%2Ffiles%2F2017-07%2FOFO%2520Update%2520Version%2520December%25202015%2520and%2520Data%2520Tables.xls
    • https://en.wikipedia.org/wiki/Apprenticeship
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409
    • https://go.microsoft.com/fwlink/?linkid=868922
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409
    • http://go.microsoft.com/fwlink/?LinkID=617297
    • https://www.tru.ca/prog

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000514a.bin
80eef56f77c46c570c8cf9c9ccb1a61403c66c5a7bd8cc9c7e396c287e644d97		 pdf-font-stream PDF embedded font (sfnt) at offset 0x514A 9880 bytes
font_01_sfnt_off000070e2.bin
8569155038f251c78bb71ae943692f8594ae0e2e4d585d61fbb0e1d5255f29d5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70E2 7240 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.