Malicious PDF — malware analysis report

Static analysis result for SHA-256 5831396e41c873b1…

MALICIOUS

PDF

35.3 KB Created: 2021-07-05 08:54:12 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 3390ff3663fbbfd9e70144e0b9c7b814 SHA-1: 0475db761d35a06a6d71f6468d38569c97036b71 SHA-256: 5831396e41c873b1372c434ad6d66696599adf831cadb8c20eb01403a8a50b81
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of embedded links, many pointing to IP addresses, that are designed to lure users into downloading game hacks. The heuristic 'PDF_SEO_LINK_FARM' indicates a mass of external PDF links, and the ML classifier strongly flags this PDF as malicious. The document body and extracted URLs suggest a social engineering tactic to distribute potentially unwanted or malicious applications.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/406889139/coin-master-hack-apk-35-18-game-hack
    • http://110.232.83.89/slimsppks/repository/how-to-get-free-robux-on-roblox-2021_GM431946152.pdf
    • http://110.232.83.89/slimsppks/repository/coin-master-claim-free-spins_GM406889139.pdf
    • http://110.232.83.89/slimsppks/repository/how-to-get-free-spins-on-coin-master-hack_GM406889139.pdf
    • http://110.232.83.89/slimsppks/repository/coin-master-hack-mod-apk_GM406889139.pdf
    • http://110.232.83.89/slimsppks/repository/coin-master-free-spins-and-free-coins_GM406889139.pdf
    • http://110.232.83.89/slimsppks/repository/can-i-hack-coin-master-with-lucky-patcher_GM406889139.pdf
    • http://110.232.83.89/slimsppks/repository/coin-master-spin-rewards_GM406889139.pdf
    • http://110.232.83.89/slimsppks/repository/coin-master-spin-link-hack_GM406889139.pdf
    • http://110.232.83.89/slimsppks/repository/coin-master-spin-hack_GM406889139.pdf
    • http://110.232.83.89/slimsppks/repository/best-free-hacked-client_GM479516143.pdf
    • http://110.232.83.89/slimsppks/repository/hack-coin-master-game-apk-download_GM406889139.pdf
    • http://110.232.83.89/slimsppks/repository/free-robux-no-human-verification-or-survey-generator_GM431946152.pdf
    • http://110.232.83.89/slimsppks/repository/pubg-uc-load_GM1330123889.pdf
    • http://110.232.83.89/slimsppks/repository/free-robux-hacks-new-2021_GM431946152.pdf
    • http://110.232.83.89/slimsppks/repository/how-to-hack-black-hawk-mission-2-roblox_GM431946152.pdf
    • http://110.232.83.89/slimsppks/repository/roblox-generator-with-verification-thats-down-loading-free_GM431946152.pdf
    • http://110.232.83.89/slimsppks/repository/hack-card-collection-coin-master_GM406889139.pdf
    • http://110.232.83.89/slimsppks/repository/easypoints-gg-roblox_GM431946152.pdf
    • http://110.232.83.89/slimsppks/repository/minecraft-for-ipad-free_GM479516143.pdf
    • http://110.232.83.89/slimsppks/repository/roblox-redeem-card-codes-free_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003230.bin
bdf73765f88f6939193be9f99495aa3b10a15ce1fd60cabe1924af2e157f95c7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3230 22932 bytes
font_01_sfnt_off000065c4.bin
aac05d6177a90b60b5ec55135024cf4c2d0f170c36ca73a7d8cfbc5a1b3be2be		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65C4 18804 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.