Malicious PDF — malware analysis report

Static analysis result for SHA-256 0fc1f71514a88643…

MALICIOUS

PDF

34.2 KB Created: 2021-07-08 14:10:07 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 0e09c83fc8f552896fa9411a3dedd076 SHA-1: 0aae38b2e4421865b4c20b9038a563687b59f25b SHA-256: 0fc1f71514a886431ee09f83805571b8ed46eac4cb3c6a430bb06c080221ea55
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains embedded URLs and a document body that promotes 'free coins' and 'game hacks', strongly suggesting a phishing or scam lure. The heuristic 'PDF_SEO_LINK_FARM' indicates the presence of numerous external links, with one pointing to a suspicious URL that likely hosts a malicious payload. The ML classifier also flagged the PDF as malicious. While no scripts were explicitly extracted, the nature of the content and the external URL suggest an attempt to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/406889139/freecoins-game-hack
    • https://www.charnwood.staffs.sch.uk/admin/ckfinder/userfiles/files/how-to-get-creative-mode-in-minecraft-server-hack_GM479516143.pdf
    • https://www.charnwood.staffs.sch.uk/admin/ckfinder/userfiles/files/free-xbox-accounts-roblox_GM431946152.pdf
    • https://www.charnwood.staffs.sch.uk/admin/ckfinder/userfiles/files/free-account-roblox-2021_GM431946152.pdf
    • https://www.charnwood.staffs.sch.uk/admin/ckfinder/userfiles/files/mcpe-master-hack-unlimited-coins-latest-version_GM406889139.pdf
    • https://www.charnwood.staffs.sch.uk/admin/ckfinder/userfiles/files/free-spin-coin-master-game_GM406889139.pdf
    • https://www.charnwood.staffs.sch.uk/admin/ckfinder/userfiles/files/coin-master-freebies-2021_GM406889139.pdf
    • https://www.charnwood.staffs.sch.uk/admin/ckfinder/userfiles/files/coin-master-free-coins-and-spins-link_GM406889139.pdf
    • https://www.charnwood.staffs.sch.uk/admin/ckfinder/userfiles/files/minecraft-pocket-edition-apk-free-download_GM479516143.pdf
    • https://www.charnwood.staffs.sch.uk/admin/ckfinder/userfiles/files/how-to-earn-robux-for-free-2021_GM431946152.pdf
    • https://www.charnwood.staffs.sch.uk/admin/ckfinder/userfiles/files/play-coin-master-online-free_GM406889139.pdf
    • https://www.charnwood.staffs.sch.uk/admin/ckfinder/userfiles/files/coinmasterfreespins_GM406889139.pdf
    • https://www.charnwood.staffs.sch.uk/admin/ckfinder/userfiles/files/coin-master-free-pet-food-links_GM406889139.pdf
    • https://www.charnwood.staffs.sch.uk/admin/ckfinder/userfiles/files/minecraft-login-free_GM479516143.pdf
    • https://www.charnwood.staffs.sch.uk/admin/ckfinder/userfiles/files/free-spin-links-coin-master-october-30-2021_GM406889139.pdf
    • https://www.charnwood.staffs.sch.uk/admin/ckfinder/userfiles/files/how-to-get-free-robux-website_GM431946152.pdf
    • https://www.charnwood.staffs.sch.uk/admin/ckfinder/userfiles/files/android-fast-hack-roblox-2021_GM431946152.pdf
    • https://www.charnwood.staffs.sch.uk/admin/ckfinder/userfiles/files/coin-master-hack-that-actually-works_GM406889139.pdf
    • https://www.charnwood.staffs.sch.uk/admin/ckfinder/userfiles/files/free-robux-no-verification-no-survey_GM431946152.pdf
    • https://www.charnwood.staffs.sch.uk/admin/ckfinder/userfiles/files/how-to-get-robux-for-free-2021_GM431946152.pdf
    • https://www.charnwood.staffs.sch.uk/admin/ckfinder/userfiles/files/coin-master-20-free-spins-link-today_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002fbc.bin
87fd3769b86bf31e594da01e4c77e8f8893a1072a70f5f388d260d65fe0642ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2FBC 23300 bytes
font_01_sfnt_off0000642a.bin
95b27e0fe0f8d09f21308dfe7f1e0da3cbc5e6d7e802a0f52430e90404511a42		 pdf-font-stream PDF embedded font (sfnt) at offset 0x642A 17896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.