Malicious PDF — malware analysis report

Static analysis result for SHA-256 1c06036c51dd6ac5…

MALICIOUS

PDF

49.8 KB Created: 2021-06-03 05:35:19 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 22bfd5c91ab7671224036ce997c40e63 SHA-1: eee4c770a785ee0062b4c1d960188e5bc67986a0 SHA-256: 1c06036c51dd6ac57ddb12463ed7a556770dabedfe4f0c855fc30869ffef8571
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document exhibits characteristics of a malicious SEO link farm, containing numerous links to other PDF files, likely designed to attract users with lures like 'free Robux' or 'free spins'. The presence of a 'download button' heuristic and external URI firings strongly suggests an attempt to trick users into downloading further malicious content. The ML classifier also flagged this PDF as malicious with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9796

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.online/app/479516143/minecraft-world-free-download-game-hack PDF link annotation
    • https://vieclamjapan.com/upload/files/free-robux-meme_GM431946152.pdfIn PDF document text
    • https://vieclamjapan.com/upload/files/how-to-get-free-robux-easy_GM431946152.pdfIn PDF document text
    • https://vieclamjapan.com/upload/files/free-robux-working_GM431946152.pdfIn PDF document text
    • https://vieclamjapan.com/upload/files/coin-master-free-daily-spins_GM406889139.pdfIn PDF document text
    • https://vieclamjapan.com/upload/files/how-to-get-free-robux-without-human-verification_GM431946152.pdfIn PDF document text
    • https://vieclamjapan.com/upload/files/no-human-verification-coin-master-hack_GM406889139.pdfIn PDF document text
    • https://vieclamjapan.com/upload/files/master-free-spin-and-coin-links-html-m-1_GM406889139.pdfIn PDF document text
    • https://vieclamjapan.com/upload/files/pokemon-go-free-download_GM1094591345.pdfIn PDF document text
    • https://vieclamjapan.com/upload/files/instagram-coin-master-free-spins_GM406889139.pdfIn PDF document text
    • https://vieclamjapan.com/upload/files/coin-master-ad_GM406889139.pdfIn PDF document text
    • https://vieclamjapan.com/upload/files/coin-master-gold-cards-hack-english_GM406889139.pdfIn PDF document text
    • https://vieclamjapan.com/upload/files/free-spin-and-daily-news-coin-master_GM406889139.pdfIn PDF document text
    • https://vieclamjapan.com/upload/files/roblox-got-talent-piano-hack_GM431946152.pdfIn PDF document text
    • https://vieclamjapan.com/upload/files/coin-master-free-spins-app_GM406889139.pdfIn PDF document text
    • https://vieclamjapan.com/upload/files/blogger-coin-master-free-spins_GM406889139.pdfIn PDF document text
    • https://vieclamjapan.com/upload/files/coin-master-free-spins-and-coins-today-gift-reward_GM406889139.pdfIn PDF document text
    • https://vieclamjapan.com/upload/files/roblox-free-robux-hack_GM431946152.pdfIn PDF document text
    • https://vieclamjapan.com/upload/files/pokemon-go-joystick-ios-2021-free_GM1094591345.pdfIn PDF document text
    • https://vieclamjapan.com/upload/files/minecraft-free-download_GM479516143.pdfIn PDF document text
    • https://vieclamjapan.com/upload/files/coin-master-free-spins-link-blogspot_GM406889139.pdfIn PDF document text
    • https://education.minecraftIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0000543c.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x543C 29120 bytes
SHA-256: 3a8588f7caa4095af7cc3fd4e55c5eafe7fadb42385e1548cfc57f5b78b88bcf
font_01_sfnt_off000095a5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x95A5 2912 bytes
SHA-256: 02b35010e2614e3cc95ac6414c49295350c91fdfcc4b4cad27ffdbc10e80df7f
font_02_sfnt_off00009fa2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9FA2 18488 bytes
SHA-256: 53d97953320c4a27ca75ab54c15cccabcbe94f1a7eef6df1be3b25df4f56750c