Malicious PDF — malware analysis report

Static analysis result for SHA-256 326226c40f186b78…

MALICIOUS

PDF

45.6 KB Created: 2021-05-19 23:10:32 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 14cbdef72a10bdee19b692293054c65b SHA-1: 67a8ec5a9ad798710ce67d05b5fd35c1c862596d SHA-256: 326226c40f186b783e9f6f88e639229ba88f815d4f62cb782f45c65905b5bc1f
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF contains a large number of embedded links pointing to other PDFs, many of which are hosted on an IP address. The document also contains lures for MFA or one-time codes, suggesting a phishing or credential harvesting attempt. The presence of multiple external PDF links indicates a link farm designed to direct users to potentially malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9507

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/free-robux-generator-codes-game-hack
    • http://111.68.26.74/widyapustaka/repository/coin-master-free-spin-today-2021_GM406889139.pdf
    • http://111.68.26.74/widyapustaka/repository/coin-master-60-spins_GM406889139.pdf
    • http://111.68.26.74/widyapustaka/repository/free-robux-codes-no-verification_GM431946152.pdf
    • http://111.68.26.74/widyapustaka/repository/pokeballs-in-pokemon-go-free_GM1094591345.pdf
    • http://111.68.26.74/widyapustaka/repository/how-to-get-a-free-minecraft-server_GM479516143.pdf
    • http://111.68.26.74/widyapustaka/repository/how-to-get-coin-master-card-free_GM406889139.pdf
    • http://111.68.26.74/widyapustaka/repository/how-to-get-free-robux-website_GM431946152.pdf
    • http://111.68.26.74/widyapustaka/repository/free-spin-in-coin-master_GM406889139.pdf
    • http://111.68.26.74/widyapustaka/repository/i-cant-get-free-spins-coin-master_GM406889139.pdf
    • http://111.68.26.74/widyapustaka/repository/avatar-the-last-airbender-roblox_GM431946152.pdf
    • http://111.68.26.74/widyapustaka/repository/coin-master-cards-hack-2021_GM406889139.pdf
    • http://111.68.26.74/widyapustaka/repository/free-admin-roblox_GM431946152.pdf
    • http://111.68.26.74/widyapustaka/repository/easy-robux-hack_GM431946152.pdf
    • http://111.68.26.74/widyapustaka/repository/coin-master-hack-fast-org_GM406889139.pdf
    • http://111.68.26.74/widyapustaka/repository/free-gold-cards-coin-master_GM406889139.pdf
    • http://111.68.26.74/widyapustaka/repository/coin-master-hack-no-verification-no-signup_GM406889139.pdf
    • http://111.68.26.74/widyapustaka/repository/free-robux-websites-2021_GM431946152.pdf
    • http://111.68.26.74/widyapustaka/repository/freespincoin-masterlinkdownload_GM406889139.pdf
    • http://111.68.26.74/widyapustaka/repository/free-robux-pin-codes_GM431946152.pdf
    • http://111.68.26.74/widyapustaka/repository/how-to-get-free-robux-2021_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004a9a.bin
e68f43a61cce1a5805d08fa02a9b7e9353ace2f08d87602bc3f50a9eb7ee6ef1		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4A9A 25184 bytes
font_01_sfnt_off00008506.bin
02b35010e2614e3cc95ac6414c49295350c91fdfcc4b4cad27ffdbc10e80df7f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8506 2912 bytes
font_02_sfnt_off00008f03.bin
a3c42500ab941ca6b3cc9f1b186676fd5f7f9f0c0249e27b539405b68f11e4ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8F03 18520 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.