Malicious PDF — malware analysis report

Static analysis result for SHA-256 50d782a0a5bc9546…

MALICIOUS

PDF

35.7 KB Created: 2021-07-01 22:40:57 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: d5d54e1900cabca54078b1889f5df07a SHA-1: cd3a4a9423950a9e9a1c7e86d6c3ca2cb1d02b17 SHA-256: 50d782a0a5bc95464ff2f34af5c7eb72564a99a8635e815ab342bf75df4a7362
142 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

This PDF document contains numerous links to external websites, many of which are SEO-optimized PDF documents related to game hacks and cheats. The document body and extracted URLs suggest a lure for users seeking in-game advantages, likely leading to malware or phishing sites. The presence of a 'password-protected archive handoff' heuristic indicates a common tactic to bypass security scanning.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/roblox-free-items-2021-game-hack
    • http://elibrary.smknesbu.sch.id/repository/hack-roblox-killaura_GM431946152.pdf
    • http://elibrary.smknesbu.sch.id/repository/how-to-get-free-robux-without-email-address_GM431946152.pdf
    • http://elibrary.smknesbu.sch.id/repository/como-sacar-buen-puntaje-en-juego-coin-master-free-spins_GM406889139.pdf
    • http://elibrary.smknesbu.sch.id/repository/how-to-hack-roblox-jailbreak_GM431946152.pdf
    • http://elibrary.smknesbu.sch.id/repository/dragon-ball-online-revelations-roblox-hack_GM431946152.pdf
    • http://elibrary.smknesbu.sch.id/repository/coin-master-free_GM406889139.pdf
    • http://elibrary.smknesbu.sch.id/repository/using-cheat-engine-66-on-roblox-apoc_GM431946152.pdf
    • http://elibrary.smknesbu.sch.id/repository/coin-master-free-spins-link-download-for-iphone_GM406889139.pdf
    • http://elibrary.smknesbu.sch.id/repository/green-roblox-hair-free_GM431946152.pdf
    • http://elibrary.smknesbu.sch.id/repository/www-robux_GM431946152.pdf
    • http://elibrary.smknesbu.sch.id/repository/how-to-get-on-cliam-free-robux-button_GM431946152.pdf
    • http://elibrary.smknesbu.sch.id/repository/coin-hackhub-coin-master_GM406889139.pdf
    • http://elibrary.smknesbu.sch.id/repository/free-robux-generator-no-human-verification-or-password_GM431946152.pdf
    • http://elibrary.smknesbu.sch.id/repository/free-pins-for-roblox_GM431946152.pdf
    • http://elibrary.smknesbu.sch.id/repository/buy-free-clofing-on-roblox-computer_GM431946152.pdf
    • http://elibrary.smknesbu.sch.id/repository/descargar-roblox-hack-robux-pc_GM431946152.pdf
    • http://elibrary.smknesbu.sch.id/repository/free-coin-master-spins-daily_GM406889139.pdf
    • http://elibrary.smknesbu.sch.id/repository/how-to-get-free-vip-server-on-roblox-jailbreak_GM431946152.pdf
    • http://elibrary.smknesbu.sch.id/repository/free-robux-without-password-website_GM431946152.pdf
    • http://elibrary.smknesbu.sch.id/repository/roblox-hacks-download-ofr-pc_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000031fd.bin
1895bfe7d90858c6dfd999cbfca1a1816637b41157f42b460d2e057b15cede3a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x31FD 22892 bytes
font_01_sfnt_off0000655a.bin
a6079297a4f3312fdaf61b9e539ac17decd7e7bd8bb07ce2c802050efbe31670		 pdf-font-stream PDF embedded font (sfnt) at offset 0x655A 19416 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.