Malicious PDF — malware analysis report

Static analysis result for SHA-256 12c82c456d0a9f67…

MALICIOUS

PDF

34.6 KB Created: 2021-06-28 07:48:33 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: a257a0eb10f77bbac19f50cef27afc42 SHA-1: 8d78036bb7f1876b386fc99570c6e97211db2d28 SHA-256: 12c82c456d0a9f6761c4a33973e2a0bccafa861a64e5a77631d7f437d718ef1b
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains numerous embedded links and a document body that promotes hacking and cheating for popular games, aiming to trick users into downloading malicious content. The ML classifier strongly flagged this PDF as malicious, and the presence of a large number of external links, many with SEO-like slugs, indicates a link farm designed to distribute malware or lead to phishing sites. No scripts were extracted from this sample, but the overall structure and content strongly suggest a social engineering attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/hacking-become-admin-roblox-game-hack
    • http://www.pspmrsmkklawang.com/opac/repository/free-robux-generator-without-human-verification_GM431946152.pdf
    • http://www.pspmrsmkklawang.com/opac/repository/commands-for-free-admin-roblox_GM431946152.pdf
    • http://www.pspmrsmkklawang.com/opac/repository/free-roblox-promo-codes-for-robux_GM431946152.pdf
    • http://www.pspmrsmkklawang.com/opac/repository/lastrick-com-coin-master-hack_GM406889139.pdf
    • http://www.pspmrsmkklawang.com/opac/repository/roblox-bubble-gum-leviathan-free_GM431946152.pdf
    • http://www.pspmrsmkklawang.com/opac/repository/how-to-hack-roblox-accounts-2021-easy_GM431946152.pdf
    • http://www.pspmrsmkklawang.com/opac/repository/how-to-hack-all-the-cargo-crates-in-roblox_GM431946152.pdf
    • http://www.pspmrsmkklawang.com/opac/repository/big-brother-roblox-exploits-free-download_GM431946152.pdf
    • http://www.pspmrsmkklawang.com/opac/repository/coin-master-hack-2021_GM406889139.pdf
    • http://www.pspmrsmkklawang.com/opac/repository/coin-master-free-spin-27_GM406889139.pdf
    • http://www.pspmrsmkklawang.com/opac/repository/2021999-free-robux_GM431946152.pdf
    • http://www.pspmrsmkklawang.com/opac/repository/imaflynmidget-roblox-free-robux_GM431946152.pdf
    • http://www.pspmrsmkklawang.com/opac/repository/minecraft-pe-apk-free-download_GM479516143.pdf
    • http://www.pspmrsmkklawang.com/opac/repository/how-do-you-get-free-coins-in-coin-master_GM406889139.pdf
    • http://www.pspmrsmkklawang.com/opac/repository/watch-ads-for-free-robux_GM431946152.pdf
    • http://www.pspmrsmkklawang.com/opac/repository/best-minecraft-hacked-client_GM479516143.pdf
    • http://www.pspmrsmkklawang.com/opac/repository/free-robux-dec-2021_GM431946152.pdf
    • http://www.pspmrsmkklawang.com/opac/repository/roblox-com-free-robux_GM431946152.pdf
    • http://www.pspmrsmkklawang.com/opac/repository/coin-master-free-spins-for-today_GM406889139.pdf
    • http://www.pspmrsmkklawang.com/opac/repository/coin-master-hack-mod-apk_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003056.bin
a135f0cb9d64be8832c67d4222fef082bf39e7ce3c09a267738c5f79e509b77d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3056 22228 bytes
font_01_sfnt_off000061ad.bin
8947cfd2c0983b4991296f4b28e15ba80fb8b84dbcaad5e8fccc4442b8939f90		 pdf-font-stream PDF embedded font (sfnt) at offset 0x61AD 19208 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.