Malicious PDF — malware analysis report

Static analysis result for SHA-256 2db5bd3462222b1d…

MALICIOUS

PDF

43.6 KB Created: 2021-05-11 06:38:04 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: ce83e4af8468403eb909772599fd2cf3 SHA-1: 6d44f9f9640f60d38f545505d1be0531bce9e0fb SHA-256: 2db5bd3462222b1ded518c2e8771acc89555f04965daf6fbd71ee02edb706181
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document contains numerous embedded links to external websites, many of which are structured as SEO-optimized PDF downloads for game-related cheats and hacks. The ML classifier strongly indicated maliciousness, and the presence of a link farm heuristic suggests an attempt to distribute malicious content or engage in SEO poisoning. The document body, though heavily obfuscated, contains references to 'Roblox Hack Tool' and URLs pointing to similar content, reinforcing the lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9969

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/roblox-hack-tool-game-hack
    • https://library.sdksantamariabwi.sch.id/repository/coin-master-rewards-free-spins_GM406889139.pdf
    • https://library.sdksantamariabwi.sch.id/repository/free-robux-generator-no-human-verification-2021_GM431946152.pdf
    • https://library.sdksantamariabwi.sch.id/repository/coin-master-15-free-spin-link-today_GM406889139.pdf
    • https://library.sdksantamariabwi.sch.id/repository/how-to-get-free-robux-without-downloading-anything_GM431946152.pdf
    • https://library.sdksantamariabwi.sch.id/repository/coin-master-hacks-for-gold-cards_GM406889139.pdf
    • https://library.sdksantamariabwi.sch.id/repository/daily-free-spin-coin-master-link_GM406889139.pdf
    • https://library.sdksantamariabwi.sch.id/repository/minecraft-games-online-free-no-download_GM479516143.pdf
    • https://library.sdksantamariabwi.sch.id/repository/download-coin-master-apk-hack_GM406889139.pdf
    • https://library.sdksantamariabwi.sch.id/repository/how-to-hack-someones-minecraft-account_GM479516143.pdf
    • https://library.sdksantamariabwi.sch.id/repository/coin-master-hack-tool-india_GM406889139.pdf
    • https://library.sdksantamariabwi.sch.id/repository/free-robux-hack-no-human-verification-or-survey_GM431946152.pdf
    • https://library.sdksantamariabwi.sch.id/repository/minecraft-book-collection_GM479516143.pdf
    • https://library.sdksantamariabwi.sch.id/repository/rewards-roblox_GM431946152.pdf
    • https://library.sdksantamariabwi.sch.id/repository/coin-master-free-spins-hacktman_GM406889139.pdf
    • https://library.sdksantamariabwi.sch.id/repository/coin-master-free-spins-and-free-coins_GM406889139.pdf
    • https://library.sdksantamariabwi.sch.id/repository/coin-master-free-spins-2021-app-download_GM406889139.pdf
    • https://library.sdksantamariabwi.sch.id/repository/rewardex-robux_GM431946152.pdf
    • https://library.sdksantamariabwi.sch.id/repository/coin-master-daily-gift-free-spins-and-coins-link_GM406889139.pdf
    • https://library.sdksantamariabwi.sch.id/repository/free-coins-app-for-coin-master_GM406889139.pdf
    • https://library.sdksantamariabwi.sch.id/repository/coin-master-hack-2021-android_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004cbe.bin
d0f6c58d2cfcd3f66f27eb66b82627baadd4be7e2b9f7fc4bfea3fcb4bdab146		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4CBE 25600 bytes
font_01_sfnt_off00008826.bin
31a2c7908075477008558d8ad35fc874cd0c1469ac409190117581929eec3da7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8826 18184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.