Malicious PDF — malware analysis report

Static analysis result for SHA-256 3ece80207cbd3fe3…

MALICIOUS

PDF

34.9 KB Created: 2021-06-28 08:34:49 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-13
MD5: ece23b3ea584f9d621159d160a11a98d SHA-1: be3a9f5dcb5a453960e1487ab9ac50d401bb6d65 SHA-256: 3ece80207cbd3fe3edbe7f161f19bb3f374482ca6f4c95d70735d73d57c1348b
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document is designed to trick users into downloading potentially malicious files by offering game hacks and cheats for popular games like Roblox and Coin Master. The document contains numerous links to external PDFs, many of which appear to be SEO-optimized lures for similar content. The ML classifier strongly flagged this PDF as malicious, and the presence of embedded URLs and a download button heuristic further supports a malicious intent to deliver a payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/roblox-hacks-2021-augest-7th-game-hack PDF link annotation
    • https://xiangquan.com.tw/image/data/files/coin-master-free-spins-promo-code_GM406889139.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/coin-master-hack-lost-world-2021_GM406889139.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/get-free-spins-on-coin-master_GM406889139.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/free-games-like-roblox_GM431946152.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/free-robux-microsoft_GM431946152.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/coin-master-free-cards-link-2021_GM406889139.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/roblox-adopt-me-free-pets_GM431946152.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/descargar-coin-master-hackeado_GM406889139.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/how-to-hack-roblox-accounts_GM431946152.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/coin-master-free-spins-and-coins-2021_GM406889139.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/how-to-get-minecraft-for-free-on-tablet_GM479516143.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/coin-master-cheats-2021_GM406889139.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/how-to-get-roblox-premium-for-free-2021_GM431946152.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/coin-master-admin-free-spins_GM406889139.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/tryrbx-site-free-robux_GM431946152.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/rbxoffer-com-free-robux_GM431946152.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/coin-master-free-spins-hack_GM406889139.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/minecraft-free-download-apk-softonic_GM479516143.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/free-robux-no-human-verification-or-survey-2021_GM431946152.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/coin-master-mod-apk-latest-hack-with-unlimited-free-spins_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000030d3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x30D3 22240 bytes
SHA-256: 2d1ddd717d7d094acac8200d8f89c0c80fb93a3a9b917fc189746bdfb086110e
font_01_sfnt_off000061f6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x61F6 19524 bytes
SHA-256: 5061c707a0ed37b9de3a60f1070a2af35c8cd454412bbd1f8f56909a523e6bf0

Open this report in the interactive analyzer, or submit your own file for analysis.