Malicious PDF — malware analysis report

Static analysis result for SHA-256 24e01e2935c89a14…

MALICIOUS

PDF

44.9 KB Created: 2021-05-13 23:30:58 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 43beab7d7105c49ab2cb135ccde3f746 SHA-1: d0ffcc1d9b849248c17b2e7529c65b485e2af3a7 SHA-256: 24e01e2935c89a1419a37c42dc17b43f7bb3e8f6a9309fb057ef045494a14a78
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, identified as a PDF link farm, pointing to sites offering game cheats and free currency. The ML classifier also flagged this PDF as malicious with high confidence. The document body and extracted URLs suggest a lure for users seeking in-game advantages, which is a common tactic for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9632

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/coin-master-free-spins-hack-game-hack
    • http://www.abilityireland.com/uploaded_files/userfiles/files/how-to-get-more-robux-for-free_GM431946152.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/how-do-you-get-free-robux_GM431946152.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/coin-master-daily-free-spins-link-download_GM406889139.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/free-robux-generator-no-human-verification-2021_GM431946152.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/hackear-coin-master-sin-root_GM406889139.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/free-robux-just-enter-username-and-password_GM431946152.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/free-robux-sites-that-work_GM431946152.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/how-to-get-free-robux-2021_GM431946152.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/who-to-get-free-robux_GM431946152.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/free-spins-on-coin-master-hack_GM406889139.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/get-free-spins-coin-master-link_GM406889139.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/robloxfun-com-generator_GM431946152.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/free-robux-generator-2021-no-human-verification-or-survey_GM431946152.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/how-do-you-get-free-robux-without-paying_GM431946152.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/minecraft-free-exe_GM479516143.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/earn-roblox_GM431946152.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/how-to-get-free-robux-easy-2021_GM431946152.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/free-coin-and-spin-in-coin-master_GM406889139.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/coin-master-hack-version_GM406889139.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/minecraft-free-download-ios_GM479516143.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004ba5.bin
dfd811f950d1916f8a3c849c178aec8469c683dbadd82ca82e5f105a41735875		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4BA5 24460 bytes
font_01_sfnt_off000083af.bin
601c50867a41b9362538ff18e5f9479a0f9badf698aaf1eb7e88469c11719db7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x83AF 2920 bytes
font_02_sfnt_off00008dc9.bin
5bc30252b20e252a4e4f12754ee6fd7a8bdc905346c0352a18cf9aa56584dd16		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8DC9 18056 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.