Malicious PDF — malware analysis report

Static analysis result for SHA-256 008c4704392a2534…

MALICIOUS

PDF

42.7 KB Created: 2021-05-15 04:44:33 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 2002c38e74a274f31b2be68141ac5380 SHA-1: c7892c307638a39a64d854bb12da1845eccfefa4 SHA-256: 008c4704392a25346644db7503b082858eeb85f68fd2de460cc0242e049200bc
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document contains numerous embedded URLs, identified as a link farm, that point to websites offering free game currency or hacks. The document body, though partially corrupted, contains references to 'Roblox Gift Card For Free' and similar lures. The presence of external URIs and the ML classifier's high confidence score indicate a malicious intent to redirect users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9971

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/roblox-gift-card-for-free-game-hack
    • http://aiyta.com/images/how-to-get-robux-for-free-2021_GM431946152.pdf
    • http://aiyta.com/images/free-400-spins-coin-master_GM406889139.pdf
    • http://aiyta.com/images/how-to-hack-minecraft-pe_GM479516143.pdf
    • http://aiyta.com/images/free-robux-without-human-verification-2021_GM431946152.pdf
    • http://aiyta.com/images/free-spin-links-coin-master-october-30-2021_GM406889139.pdf
    • http://aiyta.com/images/how-to-get-more-robux-for-free_GM431946152.pdf
    • http://aiyta.com/images/coin-master-heaven-free-daily-spins_GM406889139.pdf
    • http://aiyta.com/images/coin-master-hack-https-coinms-net_GM406889139.pdf
    • http://aiyta.com/images/free-coins-and-spins-coin-master_GM406889139.pdf
    • http://aiyta.com/images/free-robux-script_GM431946152.pdf
    • http://aiyta.com/images/coin-master-hacks-2021_GM406889139.pdf
    • http://aiyta.com/images/watch-ads-for-robux_GM431946152.pdf
    • http://aiyta.com/images/how-do-i-earn-robux_GM431946152.pdf
    • http://aiyta.com/images/how-to-hack-someones-roblox-account-2021_GM431946152.pdf
    • http://aiyta.com/images/pop-slots-free-vegas-casino-slot-machine-game-coin-master_GM406889139.pdf
    • http://aiyta.com/images/robux-free-2021_GM431946152.pdf
    • http://aiyta.com/images/how-to-hack-roblox-to-get-robux_GM431946152.pdf
    • http://aiyta.com/images/roblox-hack-me_GM431946152.pdf
    • http://aiyta.com/images/coin-master-free-spins--coins-2021_GM406889139.pdf
    • http://aiyta.com/images/roblox-zone-free-robux_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off0000486f.bin
7c7b85d7c068fb31d37fd166616759cbf7932d7e719ba84a539100f11fc39f70		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x486F 25392 bytes
font_01_sfnt_off000083a8.bin
60e7b0d1b0e81cbc9f742acc768a1a32489c2ca7a8c90f8b1ba1abaa767594e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x83A8 18572 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.