Malicious PDF — malware analysis report

Static analysis result for SHA-256 219f70528c98d34a…

MALICIOUS

PDF

49.7 KB Created: 2021-05-17 06:05:36 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 5627a5a8d71fc8449361f36003feabe3 SHA-1: 2a07177c89bb016f984696d6bd6b074c1737767b SHA-256: 219f70528c98d34a365df6b9f41483ba8f55bb9a3dc046cba7cc7237cbb535ff
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous embedded links to websites that appear to be part of a link farm, promoting hacks and freebies for popular games. The ML classifier also flagged this PDF as malicious. The presence of these links suggests the document is designed to redirect users to potentially harmful sites, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8642

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/coin-master-links-free-spins-game-hack
    • http://spentulib.com/search/repository/free-robux-hack-us_GM431946152.pdf
    • http://spentulib.com/search//repository/how-to-hack-roblox-for-robux_GM431946152.pdf
    • http://spentulib.com/search//repository/roblox-hack-me-robux_GM431946152.pdf
    • http://spentulib.com/search/repository/spins-coin-master_GM406889139.pdf
    • http://spentulib.com/search//repository/free-spins-for-coin-master-game_GM406889139.pdf
    • http://spentulib.com/search//repository/free-daily-spins-coin-master_GM406889139.pdf
    • http://spentulib.com/search/repository/coin-master-free-spins-hack_GM406889139.pdf
    • http://spentulib.com/search/repository/free-robux-hack-no-human-verification_GM431946152.pdf
    • http://spentulib.com/search/repository/robux-hack-free-robux_GM431946152.pdf
    • http://spentulib.com/search//repository/free-robux-download_GM431946152.pdf
    • http://spentulib.com/search//repository/free-robux-without-human-verification-2021_GM431946152.pdf
    • http://spentulib.com/search/repository/how-to-hack-to-get-robux_GM431946152.pdf
    • http://spentulib.com/search//repository/free-robux-hack-no-human-verification-or-survey_GM431946152.pdf
    • http://spentulib.com/search//repository/how-to-hack-roblox-to-get-robux_GM431946152.pdf
    • http://spentulib.com/search//repository/roblox-robux-hack-generator_GM431946152.pdf
    • http://spentulib.com/search//repository/websites-that-give-free-robux_GM431946152.pdf
    • http://spentulib.com/search/repository/coin-master-hack-app-for-iphone_GM406889139.pdf
    • http://spentulib.com/search/repository/free-robux-games-on-roblox_GM431946152.pdf
    • http://spentulib.com/search/repository/coin-master-free-spin-and-coin-link-today_GM406889139.pdf
    • http://spentulib.com/search//repository/free-robux-generator-com-roblox-hack_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004c83.bin
27c91d05c74dccce2b56d557fab8d25aed9a14a8ab85b75d5588ad83637e4a41		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4C83 26400 bytes
font_01_sfnt_off000088ed.bin
a17c2a746d49ac23b23e38a371e32fddecfcd91b10cf42ff6155bff6b8a07e91		 pdf-font-stream PDF embedded font (sfnt) at offset 0x88ED 4028 bytes
font_02_sfnt_off0000968e.bin
6fd7c7f447d66842f81aa8cf197935b17f22157d0c7e9f95622df1b5b4ddf530		 pdf-font-stream PDF embedded font (sfnt) at offset 0x968E 2788 bytes
font_03_sfnt_off0000a07e.bin
95118de0f1fa2d9d8d6d34d7ce9f6e9c56d43c25fce4d2a4bd556d275959b9e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA07E 18056 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.