Malicious PDF — malware analysis report

Static analysis result for SHA-256 583d4af3d36b9168…

MALICIOUS

PDF

35.0 KB Created: 2021-07-01 04:17:13 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-15
MD5: 3d1c28a973ec1007466de6877a081001 SHA-1: 6b634d9da0481e3a6f5a96a254cb1dfe8643fa86 SHA-256: 583d4af3d36b9168047569ed54d58b4fe46d38ccae9056f314833cd32bcb3784
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains numerous embedded URLs and a document body that promotes hacking tools and in-game currency for games like Roblox and Coin Master. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of external links, suggesting a link farm designed to attract users searching for cheats. The ML classifier also strongly flagged this PDF as malicious. While no scripts were explicitly extracted, the presence of numerous external links and the deceptive content strongly suggest the document is a lure for downloading potentially malicious tools or visiting phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/how-do-you-hack-roblox-robux-game-hack PDF link annotation
    • http://poltekkesbanten.ac.id/e-lib/repository/unlimited-roblox-hack-script_GM431946152.pdfIn PDF document text
    • http://poltekkesbanten.ac.id/e-lib/repository/games-that-give-you-free-robux_GM431946152.pdfIn PDF document text
    • http://poltekkesbanten.ac.id/e-lib/repository/how-to-speed-hack-on-roblox-with-out-shutdown_GM431946152.pdfIn PDF document text
    • http://poltekkesbanten.ac.id/e-lib/repository/how-to-get-free-robux-legit-no-human-verification_GM431946152.pdfIn PDF document text
    • http://poltekkesbanten.ac.id/e-lib/repository/easy-coin-master-hack_GM406889139.pdfIn PDF document text
    • http://poltekkesbanten.ac.id/e-lib/repository/how-to-get-a-free-car-in-roblox-bloxburg_GM431946152.pdfIn PDF document text
    • http://poltekkesbanten.ac.id/e-lib/repository/unlimited-spin-coin-master-hack_GM406889139.pdfIn PDF document text
    • http://poltekkesbanten.ac.id/e-lib/repository/free-robux-no-generator_GM431946152.pdfIn PDF document text
    • http://poltekkesbanten.ac.id/e-lib/repository/how-to-hack-roblox-for-free-robux-2021-without-waiting_GM431946152.pdfIn PDF document text
    • http://poltekkesbanten.ac.id/e-lib/repository/coin-master-coins-free_GM406889139.pdfIn PDF document text
    • http://poltekkesbanten.ac.id/e-lib/repository/free-executor-roblox_GM431946152.pdfIn PDF document text
    • http://poltekkesbanten.ac.id/e-lib/repository/coin-master-hack-tool-no-survey_GM406889139.pdfIn PDF document text
    • http://poltekkesbanten.ac.id/e-lib/repository/free-robux-crossed-out_GM431946152.pdfIn PDF document text
    • http://poltekkesbanten.ac.id/e-lib/repository/free-roblox-card-generator-no-download_GM431946152.pdfIn PDF document text
    • http://poltekkesbanten.ac.id/e-lib/repository/hacks-to-get-free-robux_GM431946152.pdfIn PDF document text
    • http://poltekkesbanten.ac.id/e-lib/repository/free-bling-bling-card-coin-master_GM406889139.pdfIn PDF document text
    • http://poltekkesbanten.ac.id/e-lib/repository/how-to-get-into-a-account-thats-hacked-in-roblox_GM431946152.pdfIn PDF document text
    • http://poltekkesbanten.ac.id/e-lib/repository/free-robux-gg-promo-codes-2021_GM431946152.pdfIn PDF document text
    • http://poltekkesbanten.ac.id/e-lib/repository/free-spins-and-coins-coin-master-2021-link_GM406889139.pdfIn PDF document text
    • http://poltekkesbanten.ac.id/e-lib/repository/minecraft-pocket-edition-free-ios_GM479516143.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003085.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3085 22680 bytes
SHA-256: 58c8b68d8500ec53a65b534003817e8f998536457cd0b3a80a792b2382b5e6d1
font_01_sfnt_off00006311.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6311 19292 bytes
SHA-256: 9995eaa591a4ae7360538d13bc69f9b48a4c6000d4d0fc373ba7f602d67ad74d

Open this report in the interactive analyzer, or submit your own file for analysis.