Malicious PDF — malware analysis report

Static analysis result for SHA-256 12aaddd7f6b06a08…

MALICIOUS

PDF

34.5 KB Created: 2021-07-09 10:14:37 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: e20c137061f25330399892153c61891f SHA-1: 6c8a56b7fe0054dbf914769b08715c8a2753f777 SHA-256: 12aaddd7f6b06a087475d06a4ec5a1a39e38be85e30a709a6245af374c88fcb9
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains numerous links disguised as offers for game cheats and free currency for popular games. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of external links, and the 'ML_NYX_PDF_MALICIOUS' classifier strongly suggests malicious intent. The document body explicitly contains URLs that likely lead to malicious content or phishing pages, aiming to trick users into downloading malware or revealing sensitive information.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/835599320/get-free-likes-on-tiktok-game-hack
    • http://elearningman2.man2palembang.sch.id/__statics/gudangsoal/files/roblox-garbage-simulator-script-hack_GM431946152.pdf
    • http://elearningman2.man2palembang.sch.id/__statics/gudangsoal/files/free-promocodes-roblox-october-2021_GM431946152.pdf
    • http://elearningman2.man2palembang.sch.id/__statics/gudangsoal/files/coin-master-free-spin-app-apk_GM406889139.pdf
    • http://elearningman2.man2palembang.sch.id/__statics/gudangsoal/files/coin-master-free-spins-link-download_GM406889139.pdf
    • https://elearningman2.man2palembang.sch.id/__statics/gudangsoal/files/mad-city-roblox-money-hack_GM431946152.pdf
    • https://elearningman2.man2palembang.sch.id/__statics/gudangsoal/files/roblox-free-download-for-computer_GM431946152.pdf
    • https://elearningman2.man2palembang.sch.id/__statics/gudangsoal/files/roblox-free-accounts-with-robux-2021_GM431946152.pdf
    • http://elearningman2.man2palembang.sch.id/__statics/gudangsoal/files/tiktok-free-edits_GM835599320.pdf
    • http://elearningman2.man2palembang.sch.id/__statics/gudangsoal/files/robux-sign_GM431946152.pdf
    • http://elearningman2.man2palembang.sch.id/__statics/gudangsoal/files/free-robux-no-verification-no-download_GM431946152.pdf
    • https://elearningman2.man2palembang.sch.id/__statics/gudangsoal/files/roblox-sad-cheating-story-lbert_GM431946152.pdf
    • https://elearningman2.man2palembang.sch.id/__statics/gudangsoal/files/roblox-fun-com-free-robux_GM431946152.pdf
    • https://elearningman2.man2palembang.sch.id/__statics/gudangsoal/files/free-robux-generator-2021-no-survey_GM431946152.pdf
    • http://elearningman2.man2palembang.sch.id/__statics/gudangsoal/files/how-to-use-cheat-engine-67-on-roblox-2021_GM431946152.pdf
    • https://elearningman2.man2palembang.sch.id/__statics/gudangsoal/files/how-to-make-a-free-server-in-minecraft-java_GM479516143.pdf
    • http://elearningman2.man2palembang.sch.id/__statics/gudangsoal/files/free-robux-quiz_GM431946152.pdf
    • https://elearningman2.man2palembang.sch.id/__statics/gudangsoal/files/coin-master-hack-apk-download-2021_GM406889139.pdf
    • http://elearningman2.man2palembang.sch.id/__statics/gudangsoal/files/best-free-roblox-exploit-2021_GM431946152.pdf
    • https://elearningman2.man2palembang.sch.id/__statics/gudangsoal/files/free-robux-com-uk_GM431946152.pdf
    • http://elearningman2.man2palembang.sch.id/__statics/gudangsoal/files/roblox-ip-address-hack_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000030ce.bin
50524860a804c0838ce0894e29f6a9aee979d9dd85daf9c03cfa31a21bb88032		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x30CE 23116 bytes
font_01_sfnt_off0000651b.bin
52cbd39803938a4a9263c7f389569a99594dd22a961128dfc7d6d6e290d29b9d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x651B 17972 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.