Malicious PDF — malware analysis report

Static analysis result for SHA-256 4fef9f8d1771b854…

MALICIOUS

PDF

34.5 KB Created: 2021-07-09 13:07:33 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: e9b646e3924cc10c036d0f2625cf8d50 SHA-1: a610fc5421338b97ed31708f19455fe02e523145 SHA-256: 4fef9f8d1771b854cabcd24637a91981f086e3d0895dfc3b6dffb270cd2fdc55
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains numerous links to external resources, many of which are SEO-optimized PDF files related to game hacks and in-game currencies. The presence of a direct link to 'netcdn.tw' and the heuristic firing for 'PDF_SEO_LINK_FARM' indicate a strong likelihood of this document being used to distribute malicious content or lead users to phishing sites. The ML classifier also flagged this PDF as malicious with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/406889139/coin-master-for-pc-free-download-game-hack
    • https://beershebaschool.edu.np/ckfinder/userfiles/files/free-tiktok-accounts-and-passwords_GM835599320.pdf
    • https://beershebaschool.edu.np/ckfinder/userfiles/files/minecraft-pe-apk-download-free-015-0_GM479516143.pdf
    • https://beershebaschool.edu.np/ckfinder/userfiles/files/free-spins-for-coin-master-hack_GM406889139.pdf
    • https://beershebaschool.edu.np/ckfinder/userfiles/files/how-to-buy-robux-for-free_GM431946152.pdf
    • https://beershebaschool.edu.np/ckfinder/userfiles/files/how-to-hack-roblox-for-robux_GM431946152.pdf
    • https://beershebaschool.edu.np/ckfinder/userfiles/files/coin-master-free-gold_GM406889139.pdf
    • https://beershebaschool.edu.np/ckfinder/userfiles/files/how-to-fix-roblox-hacks_GM431946152.pdf
    • https://beershebaschool.edu.np/ckfinder/userfiles/files/coin-master-free-100-spin_GM406889139.pdf
    • https://beershebaschool.edu.np/ckfinder/userfiles/files/coin-master-free-spins-2021_GM406889139.pdf
    • https://beershebaschool.edu.np/ckfinder/userfiles/files/robux-codes-generator-no-human-verification_GM431946152.pdf
    • https://beershebaschool.edu.np/ckfinder/userfiles/files/coin-master-free-spins-and-coins-2021_GM406889139.pdf
    • https://beershebaschool.edu.np/ckfinder/userfiles/files/how-to-get-minecraft-pocket-edition-for-free_GM479516143.pdf
    • https://beershebaschool.edu.np/ckfinder/userfiles/files/robux-points-redeem-free-gift-cards_GM431946152.pdf
    • https://beershebaschool.edu.np/ckfinder/userfiles/files/comment-avoir-des-robux-sans-hack-ni-telechargement_GM431946152.pdf
    • https://beershebaschool.edu.np/ckfinder/userfiles/files/free-spins-coins-coin-master_GM406889139.pdf
    • https://beershebaschool.edu.np/ckfinder/userfiles/files/get-free-robux-generator_GM431946152.pdf
    • https://beershebaschool.edu.np/ckfinder/userfiles/files/free-roblox-accounts-with-robux-august_GM431946152.pdf
    • https://beershebaschool.edu.np/ckfinder/userfiles/files/tix-hack-roblox-cheat-engine_GM431946152.pdf
    • https://beershebaschool.edu.np/ckfinder/userfiles/files/hack-to-get-free-spins-on-coin-master_GM406889139.pdf
    • https://beershebaschool.edu.np/ckfinder/userfiles/files/clicker-series-roblox-hack_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000030d9.bin
b5090effe0500fa179bbc7ff9247748fdc81b42e4296baf988af559320ff2a2a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x30D9 22420 bytes
font_01_sfnt_off000062e7.bin
9039d7237ea7013513b5d91e56d3c21495662b50b782ab39a95511540a413671		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62E7 18732 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.