Malicious PDF — malware analysis report

Static analysis result for SHA-256 fdcb9188f5f041be…

MALICIOUS

PDF

28.1 KB Created: 2018-06-11 09:33:06 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7) First seen: 2020-09-07
MD5: fcfcafba279b99c6b93e35ca8eb6279f SHA-1: 9b91331d9e2e7a14fa87f8c03a99cd3d8fe7fdd7 SHA-256: fdcb9188f5f041befc430226f4a40840b8ec0f0036b30897b824c57126e49048
130 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file was flagged by an ML classifier as malicious. It contains multiple external URIs pointing to domains like 'uncpbisdegree.com' and 'riverside-resort.net', which are likely hosting malicious payloads disguised as documents. The document body also contains these URLs, reinforcing the lure. No scripts were extracted, but the presence of external links and the ML classification strongly suggest a download-and-execute attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9680

Heuristics 4

  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARM
    PDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=sony-vpceb45fx-laptops-owners-manual.pdf In PDF document text
    • http://uncpbisdegree.com/download4.php?q=sony-vpceb45fx-laptops-owners-manual.pdfIn PDF document text
    • http://riverside-resort.net/1/us-history-january-2017-answer-key.pdfIn PDF document text
    • http://uncpbisdegree.com/1/sony-spp-a941-service-manual-user-guide.pdfIn PDF document text
    • http://uncpbisdegree.com/1/the-fantastic-jungles-of-henri-rousseau.pdfIn PDF document text
    • http://riverside-resort.net/1/waec-exam-may-june-2014-2015-physics-theory-and-objective-question-answer.pdfIn PDF document text
    • http://uncpbisdegree.com/1/shugo-chara-11.pdfIn PDF document text
    • http://uncpbisdegree.com/1/simple-name-card-design-free.pdfIn PDF document text
    • http://uncpbisdegree.com/1/system-of-national-accounts-2008.pdfIn PDF document text
    • http://riverside-resort.net/1/unit-operations-of-chemical-engineering-7th-edition-solutions-manual.pdfIn PDF document text
    • http://riverside-resort.net/1/what-does-a-screwdriver-do.pdfIn PDF document text
    • http://uncpbisdegree.com/1/tesccc-answer-key-grade-7-unit-4.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409In PDF document text
    • https://go.microsoft.com/fwlink/?linkid=868922In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=617297In PDF document text
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000319a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x319A 10744 bytes
SHA-256: e6b39bf5ae8e8758ef7335f75c6449686c13ef51a1f6690c34a4187c6558b1d9
font_01_sfnt_off0000538f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x538F 7492 bytes
SHA-256: d65062c6350c58bed847dddda51e49c4e9e2048f68e81f1eca236cdf18b6d697

Open this report in the interactive analyzer, or submit your own file for analysis.