Malicious PDF — malware analysis report

Static analysis result for SHA-256 03c889a843fa292c…

MALICIOUS

PDF

46.8 KB Created: 2021-06-08 17:24:31 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: a470f9f40c342d09abf733bb8039bf7c SHA-1: 1d585d07631a194b028e89b0138ce5b2fed5a3af SHA-256: 03c889a843fa292c999c0bb826c84d77466ffbda8aa249af73bda6085671c229
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was identified as malicious by an ML classifier and contains a large number of SEO-optimized links pointing to other PDFs, many of which are hosted on the IP address 111.68.26.74. The document body and extracted URLs suggest a lure for game cheats and hacks, indicating an attempt to trick users into downloading further malicious content. The presence of embedded URIs and the overall structure strongly suggest a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9832

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.tw/app/431946152/dragon-ball-z-hack-roblox-game-hack
    • http://111.68.26.74/widyapustaka/repository/coin-master-hack-pc-free_GM406889139.pdf
    • http://111.68.26.74/widyapustaka/repository/scriptexecutor-roblox-free_GM431946152.pdf
    • http://111.68.26.74/widyapustaka/repository/how-to-hack-someone-on-roblox_GM431946152.pdf
    • http://111.68.26.74/widyapustaka/repository/free-robux-download_GM431946152.pdf
    • http://111.68.26.74/widyapustaka/repository/best-site-for-free-coin-master-free-spin-link_GM406889139.pdf
    • http://111.68.26.74/widyapustaka/repository/how-to-get-free-cards-sets-for-coin-master_GM406889139.pdf
    • http://111.68.26.74/widyapustaka/repository/get-free-minecraft-account_GM479516143.pdf
    • http://111.68.26.74/widyapustaka/repository/coin-master-hack-apk-android_GM406889139.pdf
    • http://111.68.26.74/widyapustaka/repository/coin-master-400-spin-link-today_GM406889139.pdf
    • http://111.68.26.74/widyapustaka/repository/coin-master-free-spins-link-2021-iphone_GM406889139.pdf
    • http://111.68.26.74/widyapustaka/repository/free-robux-cards_GM431946152.pdf
    • http://111.68.26.74/widyapustaka/repository/free-robux-claimgg-codes_GM431946152.pdf
    • http://111.68.26.74/widyapustaka/repository/minecraft-pc-download-free-full-version_GM479516143.pdf
    • http://111.68.26.74/widyapustaka/repository/free-robux-generator-no-verification-2021_GM431946152.pdf
    • http://111.68.26.74/widyapustaka/repository/coin-master-free-link-daily_GM406889139.pdf
    • http://111.68.26.74/widyapustaka/repository/free-spins-coin-master_GM406889139.pdf
    • http://111.68.26.74/widyapustaka/repository/robux-robux_GM431946152.pdf
    • http://111.68.26.74/widyapustaka/repository/websites-that-give-you-free-robux_GM431946152.pdf
    • http://111.68.26.74/widyapustaka/repository/how-to-get-free-robux-easy-no-download_GM431946152.pdf
    • http://111.68.26.74/widyapustaka/repository/coin-master-hack-apk-ios_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off000051e4.bin
9e2ced46c67a9450e9e4e1346de5703c9aa87c6b9079def0de6ae29b298b4a80		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x51E4 28108 bytes
font_01_sfnt_off0000930f.bin
582f3228fc2009858620eb3383ccf0e095c1a1d27a19ed58bf6246ab1d85b761		 pdf-font-stream PDF embedded font (sfnt) at offset 0x930F 18732 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.