Malicious PDF — malware analysis report

Static analysis result for SHA-256 28c9a76a1f1910b4…

MALICIOUS

PDF

42.7 KB Created: 2021-05-15 13:01:11 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 87addddec06cd57cacc509f1ed3a223a SHA-1: 464fbe186c8633b9d4e88309341dd056f933ed48 SHA-256: 28c9a76a1f1910b46bac2b3b88581c415d257b4b661e710f7a2b183c03a50443
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains numerous external links, forming a link farm, that direct users to pages offering game hacks and free virtual currency, such as Robux. The ML classifier strongly indicated maliciousness, and the presence of a link farm suggests an attempt to distribute malware or lead users to phishing sites. No scripts were extracted, but the document's structure and embedded links are indicative of a lure for potentially harmful downloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9971

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/robux-free-robux-game-hack
    • http://westt.com.br/ckfinder/userfiles/files/minecraft-jar-free_GM479516143.pdf
    • http://westt.com.br/ckfinder/userfiles/files/how-do-you-get-roblox-for-free_GM431946152.pdf
    • http://westt.com.br/ckfinder/userfiles/files/how-to-hack-roblox-accounts-on-phone_GM431946152.pdf
    • http://westt.com.br/ckfinder/userfiles/files/coin-master-free-spins-2021-haktuts_GM406889139.pdf
    • http://westt.com.br/ckfinder/userfiles/files/coin-master-free-daily-rewards_GM406889139.pdf
    • http://westt.com.br/ckfinder/userfiles/files/daily-free-spins-on-coin-master_GM406889139.pdf
    • http://westt.com.br/ckfinder/userfiles/files/coin-master-links-that-don-t-expire_GM406889139.pdf
    • http://westt.com.br/ckfinder/userfiles/files/get-free-robux-com_GM431946152.pdf
    • http://westt.com.br/ckfinder/userfiles/files/download-hack-coin-master-apk_GM406889139.pdf
    • http://westt.com.br/ckfinder/userfiles/files/hack-coin-master-no-human-verification_GM406889139.pdf
    • http://westt.com.br/ckfinder/userfiles/files/is-roblox-hacked_GM431946152.pdf
    • http://westt.com.br/ckfinder/userfiles/files/coin-master-free-spin-and-coins-links_GM406889139.pdf
    • http://westt.com.br/ckfinder/userfiles/files/i-didnt-get-my-free-spins-in-coin-master_GM406889139.pdf
    • http://westt.com.br/ckfinder/userfiles/files/coin-master-hack-no-survey_GM406889139.pdf
    • http://westt.com.br/ckfinder/userfiles/files/how-to-get-free-spins-on-coin-master-without-verification_GM406889139.pdf
    • http://westt.com.br/ckfinder/userfiles/files/coin-master-daily-free-spins-link-today-2021_GM406889139.pdf
    • http://westt.com.br/ckfinder/userfiles/files/coin-master-hack_GM406889139.pdf
    • http://westt.com.br/ckfinder/userfiles/files/free-robux-generator-2021_GM431946152.pdf
    • http://westt.com.br/ckfinder/userfiles/files/descargar-coin-master-hackeado_GM406889139.pdf
    • http://westt.com.br/ckfinder/userfiles/files/mcpe-client_GM479516143.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004af3.bin
bfcc600e0cedb7da9fb6a0694707f8bd29923053586c35db43465cff87a50a3a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4AF3 25652 bytes
font_01_sfnt_off00008574.bin
3f1ded8a9c51e4f0f41c660fd84d3573ebe8f92a83837bcaa523a9614d650e73		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8574 18012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.