Malicious PDF — malware analysis report

Static analysis result for SHA-256 4ed3cd9da95f9ffe…

MALICIOUS

PDF

48.9 KB Created: 2021-06-09 14:54:00 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 42eee2ed5ae1df3540a890643e719121 SHA-1: acdbed65a5de69abb91d75f0aca3c7368f480918 SHA-256: 4ed3cd9da95f9ffe03804ed08e37879a7f04b97421555d3bef743d4d2f626f6b
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document exhibits characteristics of a malicious SEO link farm, designed to lure users with promises of free Robux and game hacks. It contains numerous external links, many pointing to other PDF documents hosted on the same domain, suggesting an attempt to drive traffic to potentially harmful content. The ML classifier strongly flagged this PDF as malicious, supporting the assessment of a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9796

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.tw/app/431946152/how-do-i-get-free-robux-without-doing-anything-game-hack
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/roblox-hack-mod-menu-android_GM431946152.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/coin-master-hack-without-verification-2021_GM406889139.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/how-to-tell-if-you-have-been-hacked-on-roblox_GM431946152.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/dabi-roblox-free-shop-t-schirts_GM431946152.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/how-to-get-verified-on-tiktok-for-free_GM835599320.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/minecraft-windows-10-hacks_GM479516143.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/is-tiktok-free_GM835599320.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/roblox-drivers-upgrade-download-free_GM431946152.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/free-coin-master-coins-and-spins_GM406889139.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/roblox-christmas-games-for-free_GM431946152.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/how-to-hack-roblox-to-get-robux_GM431946152.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/minecraft-windows-10-edition-free_GM479516143.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/in-roblox-how-do-you-hack-accounts_GM431946152.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/roblox-auto-aim-hack_GM431946152.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/minecraft-free-ios-2021_GM479516143.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/free-promo-codes-for-robux-2021_GM431946152.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/free-robux-hack-prohosts-org_GM431946152.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/how-to-hack-roblox-accounts-passwords-online_GM431946152.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/roblox-accounts-free-2021_GM431946152.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/free-robux-scamgames-2021_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0000530a.bin
694d91ca794a22b767d29fb3866cd87e406cdbe866a1a84c68d2a52b781c906f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x530A 24708 bytes
font_01_sfnt_off00008bff.bin
4c836a6246321303d10fca719808d35220b906ca76bbb44946cc04297e9ce808		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8BFF 3948 bytes
font_02_sfnt_off000098f7.bin
4279bf1796e0d98962865bc5d73de441ea7fd558f85a1cbef1f3e3113d85468d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x98F7 19400 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.