Malicious PDF — malware analysis report

Static analysis result for SHA-256 0a6fac670efdf86f…

MALICIOUS

PDF

35.4 KB Created: 2021-07-01 16:35:26 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 6c1688d920919440908284581bfb4e34 SHA-1: f0e082aad38ddbf48027ea01a848d3f5f6a3dd15 SHA-256: 0a6fac670efdf86f6c06bc6e00336593102ad9a5c412bcad270154bf6018856b
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous embedded URLs that link to sites offering game hacks and cheats, suggesting a lure for users to download potentially malicious files. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of such links, and the ML classifier strongly flagged this PDF as malicious. While no scripts were explicitly extracted, the presence of many external links and the document's content strongly suggest an attempt to trick users into downloading malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/roblox-admin-hack-unpatched-game-hack
    • http://elearning.mtsddikanang.sch.id/__statics/gudangsoal/files/hack-xp-net-coin-master_GM406889139.pdf
    • http://elearning.mtsddikanang.sch.id/__statics/gudangsoal/files/free-refunds-for-roblox-site_GM431946152.pdf
    • http://elearning.mtsddikanang.sch.id/__statics/gudangsoal/files/coin-master-spin-hack-trick_GM406889139.pdf
    • http://elearning.mtsddikanang.sch.id/__statics/gudangsoal/files/free-spins-coin-master-daily_GM406889139.pdf
    • https://elearning.mtsddikanang.sch.id/__statics/gudangsoal/files/optifine-mcpe_GM479516143.pdf
    • http://elearning.mtsddikanang.sch.id/__statics/gudangsoal/files/free-minecraft-coloring-pages_GM479516143.pdf
    • http://elearning.mtsddikanang.sch.id/__statics/gudangsoal/files/coin-master-hack-mod-apk-35-8_GM406889139.pdf
    • http://elearning.mtsddikanang.sch.id/__statics/gudangsoal/files/coin-master-hack-apk-app_GM406889139.pdf
    • https://elearning.mtsddikanang.sch.id/__statics/gudangsoal/files/minecraft-bedrock-hacks_GM479516143.pdf
    • http://elearning.mtsddikanang.sch.id/__statics/gudangsoal/files/spin-hack-for-coin-master_GM406889139.pdf
    • http://elearning.mtsddikanang.sch.id/__statics/gudangsoal/files/free-coins-and-spins-in-coin-master_GM406889139.pdf
    • http://elearning.mtsddikanang.sch.id/__statics/gudangsoal/files/hacks-to-get-robux-in-tower-of-hell-may-2021_GM431946152.pdf
    • http://elearning.mtsddikanang.sch.id/__statics/gudangsoal/files/getrobux-come_GM431946152.pdf
    • http://elearning.mtsddikanang.sch.id/__statics/gudangsoal/files/how-to-hack-coin-master-game-2021_GM406889139.pdf
    • http://elearning.mtsddikanang.sch.id/__statics/gudangsoal/files/coin-master-hack-version-download-ios_GM406889139.pdf
    • http://elearning.mtsddikanang.sch.id/__statics/gudangsoal/files/robux-hack-no-verification_GM431946152.pdf
    • http://elearning.mtsddikanang.sch.id/__statics/gudangsoal/files/coin-master-free-box_GM406889139.pdf
    • https://elearning.mtsddikanang.sch.id/__statics/gudangsoal/files/how-to-hack-someones-roblox-account_GM431946152.pdf
    • https://elearning.mtsddikanang.sch.id/__statics/gudangsoal/files/best-free-roblox-outfits_GM431946152.pdf
    • https://elearning.mtsddikanang.sch.id/__statics/gudangsoal/files/roblox-executor-free-download_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000318d.bin
fcb5c85321eddcf5a03a4d10acf0a1d0bdf7478a8529cefad88ceed4731115d9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x318D 22376 bytes
font_01_sfnt_off00006396.bin
ed72b4f2ec9c3e62d322bc76721f2bcdf29747585f50142c19362f30daf74e35		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6396 19656 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.