Malicious PDF — malware analysis report

Static analysis result for SHA-256 1257463f7f72fba4…

MALICIOUS

PDF

45.4 KB Created: 2021-05-14 13:33:10 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: aedf6a1c5db585e973c181e85242df20 SHA-1: b07c07b1f57e90af59b8c453f64db408a769fe81 SHA-256: 1257463f7f72fba4e3253e0e73d6c99ebe6b5cf5b53cfa9af3bad2342aa69009
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous external links, many of which are presented as 'SEO link farms' and point to sites offering 'free robux' or 'coin master spins'. One prominent link, https://netcdn.xyz/app/431946152/free-vip-server-roblox-game-hack, suggests a lure for game-related exploits. The presence of a 'download button' heuristic further supports the malicious intent of directing users to external, potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9507

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/free-vip-server-roblox-game-hack
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/coin-master-free-spin-trick_GM406889139.pdf
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/how-to-get-free-robux-hack_GM431946152.pdf
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/how-to-hack-any-roblox-account_GM431946152.pdf
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/how-to-get-free-spins-on-coin-master-2021-links_GM406889139.pdf
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/free-robux-apk_GM431946152.pdf
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/free-spin-coin-master-apk_GM406889139.pdf
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/oprewards-free-robux_GM431946152.pdf
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/free-robux-with-no-verification_GM431946152.pdf
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/free-robux-without-doing-anything_GM431946152.pdf
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/free-spins-on-coin-master-iphone_GM406889139.pdf
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/reddit-coin-master-free-spins_GM406889139.pdf
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/coin-and-spin_GM406889139.pdf
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/coin-master-free-cards-hack_GM406889139.pdf
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/minecraft-hacks-wurst_GM479516143.pdf
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/toolbox-premium-apk_GM479516143.pdf
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/free-robux-games-that-actually-work-2021_GM431946152.pdf
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/real-free-robux-generator_GM431946152.pdf
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/how-to-get-minecraft-windows-10-for-free-2021_GM479516143.pdf
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/roblox-free-skin_GM431946152.pdf
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/roblox-cheat_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004c2a.bin
031e03603c65f7648d052bace9fd36a569ff6418d74d48842ea82c7fb9a2cf49		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4C2A 24472 bytes
font_01_sfnt_off00008459.bin
db1860fd79a3f2cbe32e2bada3ba4c68a2d581b7a24294387cd777233cc9cef6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8459 2828 bytes
font_02_sfnt_off00008e10.bin
c1771e38e47f70d4d1a65a36e251d19cfd5d8120c02d48444b4cec837a0f1c39		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8E10 18492 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.