Malicious PDF — malware analysis report

Static analysis result for SHA-256 472ce8aac623522b…

MALICIOUS

PDF

45.6 KB Created: 2021-06-08 16:18:33 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 57d9f1b4923c8b59f8c850108b7b247e SHA-1: f11865e8da2bbf21da73b1659a912238a9d0434f SHA-256: 472ce8aac623522b2503221830afcd1016fb7917f7189a2e1518eb1c47073795
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file contains numerous external links, many of which point to files hosted on bibliopolis.be, suggesting a link farm designed to distribute malicious content. The document body and embedded links indicate a lure related to game hacks, specifically for Roblox. The presence of a 'download button' heuristic further supports the intent to trick users into downloading files. The ML classifier also flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9864

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.tw/app/431946152/hack-para-ro-ghoul-roblox-2021-rc-game-hack
    • https://bibliopolis.be/wp-content/uploads/fsqm-files/roblox-free-commands_GM431946152.pdf
    • https://bibliopolis.be/wp-content/uploads/fsqm-files/rise-of-nations-roblox-cheats_GM431946152.pdf
    • https://bibliopolis.be/wp-content/uploads/fsqm-files/free-minecraft-bedrock-server-hosting_GM479516143.pdf
    • https://bibliopolis.be/wp-content/uploads/fsqm-files/free-promo-codes-on-roblox_GM431946152.pdf
    • https://bibliopolis.be/wp-content/uploads/fsqm-files/one-piece-millenium-tutorial-roblox-get-free-evil-fruit_GM431946152.pdf
    • https://bibliopolis.be/wp-content/uploads/fsqm-files/free-tiktok-likes-no-survey_GM835599320.pdf
    • https://bibliopolis.be/wp-content/uploads/fsqm-files/how-to-get-free-money-in-roblox-vehicle-simulator-2021_GM431946152.pdf
    • https://bibliopolis.be/wp-content/uploads/fsqm-files/how-to-get-free-robux-on-kindle-fire_GM431946152.pdf
    • https://bibliopolis.be/wp-content/uploads/fsqm-files/www-free-robux_GM431946152.pdf
    • https://bibliopolis.be/wp-content/uploads/fsqm-files/caught-my-mom-cheating-in-roblox_GM431946152.pdf
    • https://bibliopolis.be/wp-content/uploads/fsqm-files/how-to-get-free-robux-with-roblox-redeem-card_GM431946152.pdf
    • https://bibliopolis.be/wp-content/uploads/fsqm-files/fortnite-skins-free-for-roblox_GM431946152.pdf
    • https://bibliopolis.be/wp-content/uploads/fsqm-files/www-roblox-cheatuscom_GM431946152.pdf
    • https://bibliopolis.be/wp-content/uploads/fsqm-files/free-robux-without-survey-or-verification_GM431946152.pdf
    • https://bibliopolis.be/wp-content/uploads/fsqm-files/download-minecraft-free-hiapphere_GM479516143.pdf
    • https://bibliopolis.be/wp-content/uploads/fsqm-files/i-got-free-tbc-on-roblox_GM431946152.pdf
    • https://bibliopolis.be/wp-content/uploads/fsqm-files/how-to-earn-free-robux-without-human-verification_GM431946152.pdf
    • https://bibliopolis.be/wp-content/uploads/fsqm-files/free-tiktok-likes-without-verification_GM835599320.pdf
    • https://bibliopolis.be/wp-content/uploads/fsqm-files/roblox-counter-blox-roblox-offensive-hack-2021_GM431946152.pdf
    • https://bibliopolis.be/wp-content/uploads/fsqm-files/http-wwwrobux-hack_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00005390.bin
9cd9ef6825adb5eba82b0bcfb1696eb2300cd15ae858c69c1515e9e7b24bf7e3		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5390 25012 bytes
font_01_sfnt_off00008d81.bin
0a326408698e42ccc10b21530c3b64adcb4691ae20bf9eae258dcc1a488a0a6e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8D81 19044 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.