Malicious PDF — malware analysis report

Static analysis result for SHA-256 4cf727a12d875f2c…

MALICIOUS

PDF

48.1 KB Created: 2021-06-03 10:55:30 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: dbdea26cda9946e679b3d022811bdd40 SHA-1: baac11c8ad2ea1624f58ead9c146b961d1d7f6bb SHA-256: 4cf727a12d875f2c6d8b70eb471bd0ec842c2124c3d00a9b64b0f6ccf70d6682
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a large number of external links, many of which are to other PDF files, suggesting a link farm or SEO manipulation tactic. The document body and extracted URLs indicate a lure related to game cheats or free in-game currency. While no scripts were explicitly extracted, the PDF structure and the presence of numerous external URIs suggest it is designed to redirect users to potentially malicious or deceptive content, possibly leveraging embedded JavaScript for obfuscation or redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9796

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.online/app/431946152/how-to-hack-to-get-robux-game-hack
    • https://ifef.es/ckfinder/userfiles/files/how-can-i-get-free-spins-on-coin-master_GM406889139.pdf
    • https://ifef.es/ckfinder/userfiles/files/buy-tiktok-followers-free_GM835599320.pdf
    • https://ifef.es/ckfinder/userfiles/files/coin-master-hack-pro-gamers_GM406889139.pdf
    • https://ifef.es/ckfinder/userfiles/files/roblox-hack-ios_GM431946152.pdf
    • https://ifef.es/ckfinder/userfiles/files/how-to-get-free-robux-games_GM431946152.pdf
    • https://ifef.es/ckfinder/userfiles/files/coin-master-hack-https-coinms-net_GM406889139.pdf
    • https://ifef.es/ckfinder/userfiles/files/coin-master-daily-free-spins-25_GM406889139.pdf
    • https://ifef.es/ckfinder/userfiles/files/best-free-robux-sites_GM431946152.pdf
    • https://ifef.es/ckfinder/userfiles/files/games-that-give-you-free-robux_GM431946152.pdf
    • https://ifef.es/ckfinder/userfiles/files/free-spin-links-coin-master-2021_GM406889139.pdf
    • https://ifef.es/ckfinder/userfiles/files/coin-master-spin-link-free-download_GM406889139.pdf
    • https://ifef.es/ckfinder/userfiles/files/cute-free-roblox-outfits_GM431946152.pdf
    • https://ifef.es/ckfinder/userfiles/files/coin-master-free-spins-facebook_GM406889139.pdf
    • https://ifef.es/ckfinder/userfiles/files/free-robux-obby-2021_GM431946152.pdf
    • https://ifef.es/ckfinder/userfiles/files/how-to-hack-people-on-roblox_GM431946152.pdf
    • https://ifef.es/ckfinder/userfiles/files/coin-master-daily-free-spins_GM406889139.pdf
    • https://ifef.es/ckfinder/userfiles/files/free-coins-coin-master-ios_GM406889139.pdf
    • https://ifef.es/ckfinder/userfiles/files/how-to-get-free-robux-with-no-verification_GM431946152.pdf
    • https://ifef.es/ckfinder/userfiles/files/minecraft-apk-free-download_GM479516143.pdf
    • https://ifef.es/ckfinder/userfiles/files/minecraft-for-laptop-free_GM479516143.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00005153.bin
177b30cd783e054008c33755fc6ef2726ddd1ed0f65da09e1c4dd0b9fb0ce65c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5153 26436 bytes
font_01_sfnt_off00008ec9.bin
3fb127b764b9d10f5525bc4de5ec8316de704409ccb0cf21cff3ad8a30d11676		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8EC9 2840 bytes
font_02_sfnt_off0000987a.bin
e2a97b64806b22db336191728b408e5b7179700d4ee5fd3b4b30addea2706a3c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x987A 18516 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.