Malicious PDF — malware analysis report

Static analysis result for SHA-256 325c02c55b825d9d…

MALICIOUS

PDF

35.4 KB Created: 2021-06-20 07:47:50 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-15
MD5: 0372a763643fba02a677663b91323ff3 SHA-1: e2a88ad915f5a0a51d1f397b118c41a97c7a4f08 SHA-256: 325c02c55b825d9d7f9420bfcfd63cc55ac1a0055a7b6ff172121ed637a6cc70
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains numerous embedded links, identified as a link farm, pointing to external sites offering game hacks and cheats. The ML classifier strongly indicated maliciousness, and the document body reinforces the lure by mentioning 'Roblox Free Game Play Online' and including URLs related to game exploits. While no scripts were directly extracted, the PDF structure and embedded links suggest an attempt to redirect users to malicious content, potentially for credential harvesting or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/roblox-free-game-play-online-game-hack PDF link annotation
    • http://prodent.com.ua/images/coin-master-free-spins-link-cheat_GM406889139.pdfIn PDF document text
    • http://prodent.com.ua/images/free-robux-games-that-actually-work-2021_GM431946152.pdfIn PDF document text
    • http://prodent.com.ua/images/free-tiktok-fans-and-likes_GM835599320.pdfIn PDF document text
    • http://prodent.com.ua/images/how-can-you-get-free-robux-on-roblox_GM431946152.pdfIn PDF document text
    • http://prodent.com.ua/images/minecraft-hack-2021_GM479516143.pdfIn PDF document text
    • http://prodent.com.ua/images/free-cheat-codes-for-coin-master_GM406889139.pdfIn PDF document text
    • http://prodent.com.ua/images/free-robux-no-human-verification-and-no-survey_GM431946152.pdfIn PDF document text
    • http://prodent.com.ua/images/free-daily-spin-coin-master-game_GM406889139.pdfIn PDF document text
    • http://prodent.com.ua/images/roblox-hack-that-works-for-robux_GM431946152.pdfIn PDF document text
    • http://prodent.com.ua/images/blogspot-coin-master-free-spins_GM406889139.pdfIn PDF document text
    • http://prodent.com.ua/images/roblox-unblocked-free_GM431946152.pdfIn PDF document text
    • http://prodent.com.ua/images/coinmasterfree_GM406889139.pdfIn PDF document text
    • http://prodent.com.ua/images/public-enemy-sun-prairie-coin-master-free-spins_GM406889139.pdfIn PDF document text
    • http://prodent.com.ua/images/coin-master-mod-apk-2021_GM406889139.pdfIn PDF document text
    • http://prodent.com.ua/images/free-roblox-generator-for-roblox_GM431946152.pdfIn PDF document text
    • http://prodent.com.ua/images/how-to-earn-robux-free-2021_GM431946152.pdfIn PDF document text
    • http://prodent.com.ua/images/free-robux-net_GM431946152.pdfIn PDF document text
    • http://prodent.com.ua/images/roblox-hack-org_GM431946152.pdfIn PDF document text
    • http://prodent.com.ua/images/free-coins-coin-master-hack_GM406889139.pdfIn PDF document text
    • http://prodent.com.ua/images/how-to-get-free-robux-no-verification-2021_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000314d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x314D 22836 bytes
SHA-256: 5021ad7ef38147ff7b971a7e6ef8d5850d1a8a0904853d84359afd42c09f43a7
font_01_sfnt_off0000647b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x647B 19364 bytes
SHA-256: 996dcaf8fcecab5dd0f9e3aaf685b03cd323da92b36040c95d067e6db5a1faa8