Malicious PDF — malware analysis report

Static analysis result for SHA-256 4f405fc78ff1415c…

MALICIOUS

PDF

34.5 KB Created: 2021-06-29 08:06:17 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-13
MD5: f767f81bc76636d466a0d0de46720ffd SHA-1: 098cb97996384c26a9b998dad817dadc64a09673 SHA-256: 4f405fc78ff1415cc57d596e400164d8aea44870e27c86cf45f5554f97c1bdd8
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document contains multiple links to what appears to be a malicious redirector infrastructure, disguised as 'free generator / game hack' lures. The primary link, http://netcdn.co/app/431946152/free-roblox-gift-card-codes-2021-no-survey-game-hack, is associated with known malicious activity. The document body and embedded URLs reinforce the theme of exploiting user interest in game-related cheats and rewards to drive clicks to potentially harmful sites. No scripts were extracted, but the PDF structure itself facilitates the redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • PDF links to a 'free generator / game hack' redirector critical PDF_GAME_HACK_REDIRECT_LURE
    PDF's clickable action targets a redirector of the form /app/<id>/<slug>-game-hack — the landing-page shape of a large SEO 'free spins / generator / game hack' lure family that funnels victims through rotating disposable hosts to a malware/scam payload. The multi-link variants also trip ML/link-farm rules; this catches the single-link variants that otherwise score clean. CRITICAL on its own: the /app/<id>/<slug>-game-hack path shape is unambiguous scam infra, and the host rotates so a host-list match can't be relied on.
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/free-roblox-gift-card-codes-2021-no-survey-game-hack In PDF document text
    • http://pustaka.faterna.unand.ac.id/repository/roblox-free-animatins_GM431946152.pdfIn PDF document text
    • http://pustaka.faterna.unand.ac.id/repository/more-free-roblox-jailbreak-vip-servers-link-desc_GM431946152.pdfIn PDF document text
    • http://pustaka.faterna.unand.ac.id/repository/snxw-hack-roblox_GM431946152.pdfIn PDF document text
    • http://pustaka.faterna.unand.ac.id/repository/free-roblox-gift-card-codes-that-work_GM431946152.pdfIn PDF document text
    • http://pustaka.faterna.unand.ac.id/repository/how-to-get-free-robux-2021-on-phone_GM431946152.pdfIn PDF document text
    • http://pustaka.faterna.unand.ac.id/repository/how-to-get-free-robux-for-kids_GM431946152.pdfIn PDF document text
    • http://pustaka.faterna.unand.ac.id/repository/how-to-get-free-robux-without-paying_GM431946152.pdfIn PDF document text
    • http://pustaka.faterna.unand.ac.id/repository/coin-master-free-spins-link-2021_GM406889139.pdfIn PDF document text
    • http://pustaka.faterna.unand.ac.id/repository/roblox-infinite-ammo-hack-2021_GM431946152.pdfIn PDF document text
    • http://pustaka.faterna.unand.ac.id/repository/coin-master-spin-hack-trick_GM406889139.pdfIn PDF document text
    • http://pustaka.faterna.unand.ac.id/repository/to-get-free-robux_GM431946152.pdfIn PDF document text
    • http://pustaka.faterna.unand.ac.id/repository/how-to-get-a-free-elitey-pet-on-roblox_GM431946152.pdfIn PDF document text
    • http://pustaka.faterna.unand.ac.id/repository/com-hackear-roblox_GM431946152.pdfIn PDF document text
    • http://pustaka.faterna.unand.ac.id/repository/rbx-hut_GM431946152.pdfIn PDF document text
    • http://pustaka.faterna.unand.ac.id/repository/roblox-hack-for-free-robux-no-verification_GM431946152.pdfIn PDF document text
    • http://pustaka.faterna.unand.ac.id/repository/hack-robux-gratis-2021_GM431946152.pdfIn PDF document text
    • http://pustaka.faterna.unand.ac.id/repository/coin-master-app-hacks_GM406889139.pdfIn PDF document text
    • http://pustaka.faterna.unand.ac.id/repository/oprewards-com-roblox_GM431946152.pdfIn PDF document text
    • http://pustaka.faterna.unand.ac.id/repository/is-tiktok-free_GM835599320.pdfIn PDF document text
    • http://pustaka.faterna.unand.ac.id/repository/how-to-get-free-robux-2021-easy-and-fast_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002f5b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2F5B 21800 bytes
SHA-256: 777805b1a643fbca30a69eae438e7e5722e4361260346068d1c3be05833bab98
font_01_sfnt_off00005f14.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5F14 19884 bytes
SHA-256: db4905435f9274a53bb39394878113499811ce0b92a80d128522564725ad63af