PDF malware analysis — malicious · 293d38a9f0a745ab

MALICIOUS

PDF

43.9 KB Created: 2021-05-11 00:31:07 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-29

MD5: 92479d7f41c09a92b53a1a0f03b877d1 SHA-1: 08271a6b10b16a7adba4e556343145ae95e831f3 SHA-256: 293d38a9f0a745ab0979fb34f17abf9bc419e7f672eded7d4cb58ba24ec74cc3

242 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF document is designed as a lure, presenting itself as a 'game hack' or generator to trick users into clicking malicious links. The document contains numerous links to external PDFs hosted on an IP address, forming a link farm likely intended for SEO manipulation or to distribute further malicious content. The presence of a clipboard command lure suggests an attempt to trick users into executing commands, potentially to download and run additional payloads.

Machine Learning

Nyx PDF Classifier malicious score 0.9969

Heuristics 8

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
PDF links to a 'free generator / game hack' redirector high PDF_GAME_HACK_REDIRECT_LURE

PDF's clickable action targets a redirector of the form /app/<id>/<slug>-game-hack — the landing-page shape of a large SEO 'free spins / generator / game hack' lure family that funnels victims through rotating disposable hosts to a malware/scam payload. The multi-link variants also trip ML/link-farm rules; this catches the single-link variants that otherwise score clean.
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE

Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL

PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://netcdn.xyz/app/431946152/boku-no-roblox-hack-game-hack PDF link annotation
- http://118.98.227.172/opac/repository/real-free-robux-codes_GM431946152.pdfPDF link annotation
- http://118.98.227.172/opac/repository/coin-master-hack-android-no-root_GM406889139.pdfIn PDF document text
- http://118.98.227.172/opac/repository/coin-master-spins-gratis_GM406889139.pdfIn PDF document text
- http://118.98.227.172/opac/repository/free-spins-from-coin-master_GM406889139.pdfIn PDF document text
- http://118.98.227.172/opac/repository/roblox-avatar-free_GM431946152.pdfIn PDF document text
- http://118.98.227.172/opac/repository/how-to-get-free-robux-on-computer_GM431946152.pdfIn PDF document text
- http://118.98.227.172/opac/repository/free-robux-games-on-roblox_GM431946152.pdfIn PDF document text
- http://118.98.227.172/opac/repository/roblox-promo-codes-for-free-robux_GM431946152.pdfIn PDF document text
- http://118.98.227.172/opac/repository/coin-master-free-spins-ios_GM406889139.pdfIn PDF document text
- http://118.98.227.172/opac/repository/mcpe-master-unlimited-coins-free-download_GM406889139.pdfIn PDF document text
- http://118.98.227.172/opac/repository/coin-master-hack-cheat-engine_GM406889139.pdfIn PDF document text
- http://118.98.227.172/opac/repository/coin-master-free-cards-link_GM406889139.pdfIn PDF document text
- http://118.98.227.172/opac/repository/get-free-spins-coin-master_GM406889139.pdfIn PDF document text
- http://118.98.227.172/opac/repository/free-roblox-clothes-for-your-avatar_GM431946152.pdfIn PDF document text
- http://118.98.227.172/opac/repository/free-spins-coin-master-ios-2021_GM406889139.pdfIn PDF document text
- http://118.98.227.172/opac/repository/free-minecraft-games-for-kids_GM479516143.pdfIn PDF document text
- http://118.98.227.172/opac/repository/free-robux-games-that-actually-work_GM431946152.pdfIn PDF document text
- http://118.98.227.172/opac/repository/how-to-hack-minecraft_GM479516143.pdfIn PDF document text
- http://118.98.227.172/opac/repository/roblox-robux-hack-generator_GM431946152.pdfIn PDF document text
- http://118.98.227.172/opac/repository/is-coin-master-hack-safe_GM406889139.pdfIn PDF document text
- http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_003_off00004a1e.bin`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x4A1E	27796 bytes
SHA-256: `06c977236e4c7577d3e10fa0f48950b8a372356ebd73defe6bdb090dbcbd7e29`
`font_01_sfnt_off00008906.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8906	18320 bytes
SHA-256: `cd83af5ba5492d0d90d9a213d6c06333e9cd9f39d2b07ffbf91c7f3a8ed3d34e`

Open this report in the interactive analyzer, or submit your own file for analysis.