Malicious PDF — malware analysis report

Static analysis result for SHA-256 0913825377d32f77…

MALICIOUS

PDF

34.6 KB Created: 2021-06-21 18:36:18 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 7d8e03f4b25eb9a4a29c0737c8f7a6b6 SHA-1: bf31cc7f84e2db5d42512c2c1101f048f410ebde SHA-256: 0913825377d32f7792cd5b0f23ecea86ebaf2edfd895f0b8d7cb91f254e23224
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains numerous embedded URLs and a "download button" lure, suggesting a phishing or malware distribution attempt. The ML classifier strongly flagged this PDF as malicious, and the presence of a "link farm" heuristic indicates a high volume of external links, likely for SEO poisoning or redirecting to malicious sites. The document body, though truncated, mentions "Roblox Free Pants Solid Color" and includes URLs related to game hacks and free items, indicating a lure to trick users into downloading or visiting malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/roblox-free-pants-solid-color-game-hack
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/facebook-coin-master_GM406889139.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/how-to-get-free-items-on-roblox-2021_GM431946152.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/free-spins-for-coin-master-app_GM406889139.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/how-to-get-free-r-in-roblox_GM431946152.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/how-to-get-free-gear-on-roblox-cheat_GM431946152.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/minecraft-xbox-one-edition-digital-code-free_GM479516143.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/free-account-roblox-with-robux_GM431946152.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/coin-master-hacks-2021_GM406889139.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/free-spin-link-for-coin-master_GM406889139.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/how-to-get-free-robux-on-roblox-2021_GM431946152.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/how-to-get-free-robux-and-tix-no-hack_GM431946152.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/free-robux-site_GM431946152.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/how-to-get-free-robux-2021-no-human-verification_GM431946152.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/get-free-coins-on-coin-master_GM406889139.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/coin-master-free-spins-link-31-march-2021_GM406889139.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/apps-that-give-you-free-robux_GM431946152.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/is-minecraft-bedrock-free_GM479516143.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/hacking-apps-for-roblox_GM431946152.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/minecraft-xbox-one-free_GM479516143.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/free-robux-download_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003069.bin
759977a4a581f7baf8ecef7f1798c7e3c625b7d702a2cce96a8b841eda5d4ae5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3069 22140 bytes
font_01_sfnt_off000061a9.bin
5a6b795f8a75628af76572e92885fd2645620aa4c8aff24341dae8329f40fe83		 pdf-font-stream PDF embedded font (sfnt) at offset 0x61A9 19204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.