Malicious PDF — malware analysis report

Static analysis result for SHA-256 4880325c3ffbf6d7…

MALICIOUS

PDF

34.7 KB Created: 2021-06-25 03:59:52 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 42c7fc9a86e6419af64065be3aa2b19e SHA-1: 73041db483b3f94b91598f45757c5b03634bbee1 SHA-256: 4880325c3ffbf6d7319ea2f7b9cc11439efbe19432d834961e42379f7a726ac0
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document contains numerous embedded URLs, many of which are part of a link farm designed to attract users searching for game-related cheats or free items. The ML classifier and PDF heuristics strongly indicate malicious intent, likely to redirect users to phishing or malware download sites. No scripts were extracted, but the document's structure and content suggest a lure for initial access, possibly via spearphishing.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/free-roblox-faces-purple-game-hack
    • http://www.vaytechceramic.com/uploaded_files/userfiles/files/coin-master-2021-free-spins-link-today_GM406889139.pdf
    • http://www.vaytechceramic.com/uploaded_files/userfiles/files/free-minecraft-hosting_GM479516143.pdf
    • http://www.vaytechceramic.com/uploaded_files/userfiles/files/earn-free-robux-on-roblox_GM431946152.pdf
    • http://www.vaytechceramic.com/uploaded_files/userfiles/files/free-spins-coin-master-twitter_GM406889139.pdf
    • http://www.vaytechceramic.com/uploaded_files/userfiles/files/robux-free-com_GM431946152.pdf
    • http://www.vaytechceramic.com/uploaded_files/userfiles/files/how-to-look-cool-on-roblox-for-free_GM431946152.pdf
    • http://www.vaytechceramic.com/uploaded_files/userfiles/files/freecoins_GM406889139.pdf
    • http://www.vaytechceramic.com/uploaded_files/userfiles/files/coin-master-game-android-free-download_GM406889139.pdf
    • http://www.vaytechceramic.com/uploaded_files/userfiles/files/minecraft-bedrock-free-with-java_GM479516143.pdf
    • http://www.vaytechceramic.com/uploaded_files/userfiles/files/minecraft-free-play-no-download_GM479516143.pdf
    • http://www.vaytechceramic.com/uploaded_files/userfiles/files/moonactive-coin-master_GM406889139.pdf
    • http://www.vaytechceramic.com/uploaded_files/userfiles/files/coin-master-free-spins-2021_GM406889139.pdf
    • http://www.vaytechceramic.com/uploaded_files/userfiles/files/wahoo-gaming-co-free-robux_GM431946152.pdf
    • http://www.vaytechceramic.com/uploaded_files/userfiles/files/how-to-get-free-spins-on-coin-master-2021_GM406889139.pdf
    • http://www.vaytechceramic.com/uploaded_files/userfiles/files/free-robux-bc-admin-leaks_GM431946152.pdf
    • http://www.vaytechceramic.com/uploaded_files/userfiles/files/is-it-illegal-to-use-hacks-on-roblox-jailbreak-australia_GM431946152.pdf
    • http://www.vaytechceramic.com/uploaded_files/userfiles/files/roblox-jailbreak-hack_GM431946152.pdf
    • http://www.vaytechceramic.com/uploaded_files/userfiles/files/get-free-robux-2021_GM431946152.pdf
    • http://www.vaytechceramic.com/uploaded_files/userfiles/files/roblox-cheat-all-gun-in-phantom-forces_GM431946152.pdf
    • http://www.vaytechceramic.com/uploaded_files/userfiles/files/free-pet-food-on-coin-master_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000305e.bin
7602392fe5f41e2a94d364e8a8f5cf84a2e307cfc9f423188104c26212705299		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x305E 22396 bytes
font_01_sfnt_off00006247.bin
61bd9842d5338c294b5d4f00132fcc21f635099e10f4b8827d14a913bbabf804		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6247 19120 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.