Malicious PDF — malware analysis report

Static analysis result for SHA-256 3a8fee3ee31f67c9…

MALICIOUS

PDF

36.0 KB Created: 2021-06-30 13:48:03 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: faf0e7b1ac0bb614b86ff4d9474c43b9 SHA-1: e16716b060e71f2e4334c95f67624d57619bed76 SHA-256: 3a8fee3ee31f67c985c1da1eb5a5e29f95336609b871a30f2504254669b76974
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of embedded links, identified as a link farm, that direct users to websites offering game hacks and cheats. The ML classifier strongly indicated maliciousness, and the presence of numerous external links suggests an attempt to redirect users to potentially harmful content or downloads. No scripts were extracted, but the document's structure and content point towards a social engineering tactic to trick users into visiting malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/hacks-roblox-jailbreak-game-hack
    • http://www.adudubai.com/uploaded_files/userfiles/files/free-minecraft-mods-for-xbox-one_GM479516143.pdf
    • http://www.adudubai.com/uploaded_files/userfiles/files/deadly-sins-online-roblox-working-hack_GM431946152.pdf
    • http://www.adudubai.com/uploaded_files/userfiles/files/roblox-girl-shirts-free_GM431946152.pdf
    • http://www.adudubai.com/uploaded_files/userfiles/files/cheat-engine-63-roblox-hacks_GM431946152.pdf
    • http://www.adudubai.com/uploaded_files/userfiles/files/get-free-followers-on-tiktok_GM835599320.pdf
    • http://www.adudubai.com/uploaded_files/userfiles/files/2021-no-human-verification-hack-for-coin-master_GM406889139.pdf
    • http://www.adudubai.com/uploaded_files/userfiles/files/how-to-get-free-pets-in-adopt-me-roblox_GM431946152.pdf
    • http://www.adudubai.com/uploaded_files/userfiles/files/how-to-get-free-robux-apk_GM431946152.pdf
    • http://www.adudubai.com/uploaded_files/userfiles/files/can-you-play-minecraft-for-free_GM479516143.pdf
    • http://www.adudubai.com/uploaded_files/userfiles/files/how-to-get-minecraft-java-for-free_GM479516143.pdf
    • http://www.adudubai.com/uploaded_files/userfiles/files/how-do-you-hack-to-get-roblox-accounts-passwords_GM431946152.pdf
    • http://www.adudubai.com/uploaded_files/userfiles/files/how-to-get-free-airpods-tiktok_GM835599320.pdf
    • http://www.adudubai.com/uploaded_files/userfiles/files/free-robux-no-human-verification-2021_GM431946152.pdf
    • http://www.adudubai.com/uploaded_files/userfiles/files/tiktok-free-likes-net_GM835599320.pdf
    • http://www.adudubai.com/uploaded_files/userfiles/files/roblox-pitch-black-shirt-free_GM431946152.pdf
    • http://www.adudubai.com/uploaded_files/userfiles/files/coin-master-connection-lost-hack_GM406889139.pdf
    • http://www.adudubai.com/uploaded_files/userfiles/files/how-to-get-free-hair-on-roblox_GM431946152.pdf
    • http://www.adudubai.com/uploaded_files/userfiles/files/blogspot-free-spins-coin-master_GM406889139.pdf
    • http://www.adudubai.com/uploaded_files/userfiles/files/free-coin-spin-daily-link-for-coin-master-game_GM406889139.pdf
    • http://www.adudubai.com/uploaded_files/userfiles/files/how-to-get-java-minecraft-for-free_GM479516143.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000339e.bin
335bad4ceaee8fcb83f36a613d21f48f4f5032cf4e2bb976739f9fef545d8454		 pdf-font-stream PDF embedded font (sfnt) at offset 0x339E 23192 bytes
font_01_sfnt_off000067e0.bin
0a6e5ed4612a49bca6b0bc507a132acf32e6ab42bbb3bc8ad7a48a5162690981		 pdf-font-stream PDF embedded font (sfnt) at offset 0x67E0 18944 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.