Malicious PDF — malware analysis report

Static analysis result for SHA-256 4946b1ecf1b388e4…

MALICIOUS

PDF

43.7 KB Created: 2021-05-11 22:07:14 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: c41c2c47d87993e90f7c0c89e7fee785 SHA-1: 57946961bd5cd264b07601a0d99def983e5311c4 SHA-256: 4946b1ecf1b388e429cdbe7ae974e141e09d7cc3dc1a5c55552ff218440467e7
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document contains numerous embedded links, identified as a link farm, that direct users to websites offering 'free Robux' and game hacks. The presence of a 'visual download' button lure further suggests an attempt to trick users into clicking these links. The primary goal appears to be directing users to potentially malicious external sites for further exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9969

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/free-ways-to-get-robux-game-hack
    • http://elearning.min11blitar.sch.id/__statics/gudangsoal/files/free-robux-websites-that-actually-work_GM431946152.pdf
    • http://elearning.min11blitar.sch.id/__statics/gudangsoal/files/roblox-promo-codes-for-free-robux_GM431946152.pdf
    • http://elearning.min11blitar.sch.id/__statics/gudangsoal/files/free-roblox-groups_GM431946152.pdf
    • http://elearning.min11blitar.sch.id/__statics/gudangsoal/files/free-coin-master-hacks-no-verification_GM406889139.pdf
    • http://elearning.min11blitar.sch.id/__statics/gudangsoal/files/collect-free-spins-coin-master_GM406889139.pdf
    • http://elearning.min11blitar.sch.id/__statics/gudangsoal/files/free-robux-picture_GM431946152.pdf
    • http://elearning.min11blitar.sch.id/__statics/gudangsoal/files/como-hackear-coin-master-en-espaol_GM406889139.pdf
    • http://elearning.min11blitar.sch.id/__statics/gudangsoal/files/free-spins-coin-master-hack-2021_GM406889139.pdf
    • http://elearning.min11blitar.sch.id/__statics/gudangsoal/files/free-minecraft-java-edition-account_GM479516143.pdf
    • http://elearning.min11blitar.sch.id/__statics/gudangsoal/files/how-to-get-free-robux-on-computer_GM431946152.pdf
    • http://elearning.min11blitar.sch.id/__statics/gudangsoal/files/daily-spin-coin-master-free_GM406889139.pdf
    • http://elearning.min11blitar.sch.id/__statics/gudangsoal/files/where-to-get-free-robux_GM431946152.pdf
    • http://elearning.min11blitar.sch.id/__statics/gudangsoal/files/how-to-get-free-robux-on-chromebook_GM431946152.pdf
    • http://elearning.min11blitar.sch.id/__statics/gudangsoal/files/how-many-levels-are-in-coin-master_GM406889139.pdf
    • http://elearning.min11blitar.sch.id/__statics/gudangsoal/files/cmaster-club-coin-master-hack-tool_GM406889139.pdf
    • http://elearning.min11blitar.sch.id/__statics/gudangsoal/files/bloxawards-com-earn-free-robux_GM431946152.pdf
    • http://elearning.min11blitar.sch.id/__statics/gudangsoal/files/coin-master-free-spins-link-2021-iphone_GM406889139.pdf
    • http://elearning.min11blitar.sch.id/__statics/gudangsoal/files/free-coins-and-spins-for-coin-master-game_GM406889139.pdf
    • http://elearning.min11blitar.sch.id/__statics/gudangsoal/files/www-coin-master_GM406889139.pdf
    • http://elearning.min11blitar.sch.id/__statics/gudangsoal/files/free-cracked-minecraft-server-hosting_GM479516143.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004b74.bin
498c351c89e888e4ed3a2fa4863397558391ee9ad7b79c4cdd408aae4b9e636f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4B74 25552 bytes
font_01_sfnt_off0000871c.bin
4748f019d46a9554f00c7c8cf9bb59ec204dfb95bc520e2d25b5a7c8ef81b270		 pdf-font-stream PDF embedded font (sfnt) at offset 0x871C 18724 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.