PDF malware analysis — malicious · 3d12e291b56b0106

MALICIOUS

PDF

36.6 KB Created: 2021-07-05 07:06:49 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-10-24

MD5: 7f5d03b080d36684961e31d6aaf2282a SHA-1: d1134cd596b217c0b7287d736fbe0b0d63597b22 SHA-256: 3d12e291b56b0106c2ad38602ff91fd988aacdb47664672da2fdc61c90787593

208 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains embedded JavaScript and links to a known malicious redirector disguised as a 'free generator / game hack'. The document body and heuristics indicate a lure to trick users into visiting the malicious URL, which likely serves as a gateway to further malicious activities such as downloading a second-stage payload. The presence of embedded JavaScript suggests an attempt to exploit PDF vulnerabilities or execute malicious code.

Machine Learning

Nyx PDF Classifier malicious score 0.9980

Heuristics 6

PDF links to a 'free generator / game hack' redirector critical PDF_GAME_HACK_REDIRECT_LURE

PDF's clickable action targets a redirector of the form /app/<id>/<slug>-game-hack — the landing-page shape of a large SEO 'free spins / generator / game hack' lure family that funnels victims through rotating disposable hosts to a malware/scam payload. The multi-link variants also trip ML/link-farm rules; this catches the single-link variants that otherwise score clean. CRITICAL on its own: the /app/<id>/<slug>-game-hack path shape is unambiguous scam infra, and the host rotates so a host-list match can't be relied on.
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE

Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://netcdn.tw/app/431946152/hey-google-how-do-you-get-free-robux-game-hack In PDF document text
- http://leads-bd.org/app/webroot/js/ckfinder/userfiles/files/bloxpage-free-robux_GM431946152.pdfIn PDF document text
- http://leads-bd.org/app/webroot/js/ckfinder/userfiles/files/hack-the-coin-master_GM406889139.pdfIn PDF document text
- http://leads-bd.org/app/webroot/js/ckfinder/userfiles/files/how-to-sell-at-shirt-for-free-on-roblox_GM431946152.pdfIn PDF document text
- http://leads-bd.org/app/webroot/js/ckfinder/userfiles/files/www-free-robux_GM431946152.pdfIn PDF document text
- http://leads-bd.org/app/webroot/js/ckfinder/userfiles/files/jailbreak-roblox-free_GM431946152.pdfIn PDF document text
- http://leads-bd.org/app/webroot/js/ckfinder/userfiles/files/tiktok-free-online_GM835599320.pdfIn PDF document text
- http://leads-bd.org/app/webroot/js/ckfinder/userfiles/files/free-robux-easy-and-fast_GM431946152.pdfIn PDF document text
- http://leads-bd.org/app/webroot/js/ckfinder/userfiles/files/play-roblox-free-online_GM431946152.pdfIn PDF document text
- http://leads-bd.org/app/webroot/js/ckfinder/userfiles/files/how-to-get-free-spins-in-coin-master-2021_GM406889139.pdfIn PDF document text
- http://leads-bd.org/app/webroot/js/ckfinder/userfiles/files/roblox-phantom-forcews-hack_GM431946152.pdfIn PDF document text
- http://leads-bd.org/app/webroot/js/ckfinder/userfiles/files/roblox-robux-hack-no-downloading-apps_GM431946152.pdfIn PDF document text
- http://leads-bd.org/app/webroot/js/ckfinder/userfiles/files/mcpe-master-coins-hack-download_GM406889139.pdfIn PDF document text
- http://leads-bd.org/app/webroot/js/ckfinder/userfiles/files/join-this-roblox-group-for-free-robux-roblox-groups_GM431946152.pdfIn PDF document text
- http://leads-bd.org/app/webroot/js/ckfinder/userfiles/files/phantom-forces-roblox-coin-hack_GM431946152.pdfIn PDF document text
- http://leads-bd.org/app/webroot/js/ckfinder/userfiles/files/how-to-get-minecraft-bedrock-edition-for-free_GM479516143.pdfIn PDF document text
- http://leads-bd.org/app/webroot/js/ckfinder/userfiles/files/robux-place-rewards_GM431946152.pdfIn PDF document text
- http://leads-bd.org/app/webroot/js/ckfinder/userfiles/files/free-robux-without-password-or-email_GM431946152.pdfIn PDF document text
- http://leads-bd.org/app/webroot/js/ckfinder/userfiles/files/how-to-get-free-robux-on-mobile-android_GM431946152.pdfIn PDF document text
- http://leads-bd.org/app/webroot/js/ckfinder/userfiles/files/free-robux-2021_GM431946152.pdfIn PDF document text
- http://leads-bd.org/app/webroot/js/ckfinder/userfiles/files/why-does-roblox-shut-down-when-i-use-cheat-engine_GM431946152.pdfIn PDF document text
- http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00003586.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x3586	22816 bytes
SHA-256: `5ad73fc3aaf872569615280b7673948c00b0fc4d69a2e781fb5f5cd58892156d`
`font_01_sfnt_off00006880.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6880	19568 bytes
SHA-256: `c947cb9e4153dfb2ea198cd701ec4d5f338e29feb7802fd2debd87897cec7901`

Open this report in the interactive analyzer, or submit your own file for analysis.