Malicious PDF — malware analysis report

Static analysis result for SHA-256 58c26f56356c8d7f…

MALICIOUS

PDF

46.4 KB Created: 2021-05-17 18:35:13 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 767ea5c41cfae1122d14fdd93d4cfd8b SHA-1: 8ce925b8694ad13e862013ade2d502618ad3c691 SHA-256: 58c26f56356c8d7f1bf5ba3d3ad1524a160823c5ca7ef1bd968e43531d399d6e
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains numerous external links, identified as a link farm, pointing to other PDF files. The primary URL, https://netcdn.xyz/app/406889139/coin-master-coins-free-game-hack, suggests a lure for game-related cheats or hacks. The heuristic PDF_SEO_LINK_FARM indicates a large number of these links, suggesting a tactic to manipulate search engine results or distribute content. While no scripts were explicitly extracted, the nature of the links and the ML classification point towards malicious intent, likely for SEO spam or to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8948

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/coin-master-coins-free-game-hack
    • https://edu.mtsannajah.sch.id/__statics/gudangsoal/files/coin-master-hack-programers_GM406889139.pdf
    • https://edu.mtsannajah.sch.id/__statics/gudangsoal/files/coin-master-links-for-free-spins-2021_GM406889139.pdf
    • https://edu.mtsannajah.sch.id/__statics/gudangsoal/files/how-to-buy-robux-for-free_GM431946152.pdf
    • https://edu.mtsannajah.sch.id/__statics/gudangsoal/files/daily-free-spins-coin-master-2021_GM406889139.pdf
    • https://edu.mtsannajah.sch.id/__statics/gudangsoal/files/free-coins-coin-master-2021_GM406889139.pdf
    • https://edu.mtsannajah.sch.id/__statics/gudangsoal/files/free-robux-master_GM431946152.pdf
    • https://edu.mtsannajah.sch.id/__statics/gudangsoal/files/coin-master-free-coins-and-spins-group_GM406889139.pdf
    • https://edu.mtsannajah.sch.id/__statics/gudangsoal/files/how-to-get-minecraft-for-free-on-nintendo-switch_GM479516143.pdf
    • https://edu.mtsannajah.sch.id/__statics/gudangsoal/files/how-to-minecraft-for-free_GM479516143.pdf
    • https://edu.mtsannajah.sch.id/__statics/gudangsoal/files/free-robux-no-verification-needed_GM431946152.pdf
    • https://edu.mtsannajah.sch.id/__statics/gudangsoal/files/free-executor-roblox_GM431946152.pdf
    • https://edu.mtsannajah.sch.id/__statics/gudangsoal/files/united-gaming-net-coin-master-hack_GM406889139.pdf
    • https://edu.mtsannajah.sch.id/__statics/gudangsoal/files/unlimited-spin-coin-master-hack_GM406889139.pdf
    • https://edu.mtsannajah.sch.id/__statics/gudangsoal/files/free-roebucks_GM431946152.pdf
    • https://edu.mtsannajah.sch.id/__statics/gudangsoal/files/prison-life-roblox-hacks_GM431946152.pdf
    • https://edu.mtsannajah.sch.id/__statics/gudangsoal/files/free-minecraft-gift-card_GM479516143.pdf
    • https://edu.mtsannajah.sch.id/__statics/gudangsoal/files/coin-master-free-spin-and-trading_GM406889139.pdf
    • https://edu.mtsannajah.sch.id/__statics/gudangsoal/files/coin-master-free-spin-download_GM406889139.pdf
    • https://edu.mtsannajah.sch.id/__statics/gudangsoal/files/free-roblox-clothes-for-your-avatar_GM431946152.pdf
    • https://edu.mtsannajah.sch.id/__statics/gudangsoal/files/free-robux-without-verification-or-survey_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00005083.bin
80712e3e1713fe1fe07dc8d4bd21b36fe42255711de3eb636e176c79789c9553		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5083 26700 bytes
font_01_sfnt_off00008ad6.bin
10d025f04f706eb71cdda4f99784df1b9ccb52e48080e43095e0398eaef6f132		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8AD6 2880 bytes
font_02_sfnt_off000094c1.bin
0afd6f2792edb83b7f2a0201a1e0a5eb12ca81ad868fb3e42742340ee6e5fb0e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x94C1 17712 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.