Malicious PDF — malware analysis report

Static analysis result for SHA-256 5d0ef0df872ff808…

MALICIOUS

PDF

33.6 KB Created: 2021-06-19 16:24:34 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: a38a1015d3290c8bff8648721e15219c SHA-1: bf8d3bcec4ae4545a7463710a9e9b28d58b6124e SHA-256: 5d0ef0df872ff8085068024d58f73c7f8f1c3745829157b07159a3fdab3e78b8
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains numerous links to external websites, many of which are related to game hacks and cheats for popular games like Roblox and Coin Master. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of such links, suggesting a malicious intent to drive traffic to potentially harmful sites. The ML classifier also flagged this PDF as malicious with high confidence. The presence of embedded URLs and the document body content strongly suggest a lure for users seeking unauthorized game advantages, likely leading to malware downloads or phishing.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9824

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/how-do-you-hack-to-get-robux-game-hack
    • http://www.pspmrsmmbk.com/cendana/repository/www-coin-master-hack-com_GM406889139.pdf
    • http://www.pspmrsmmbk.com/cendana/repository/coin-master-apk-hack-358_GM406889139.pdf
    • http://www.pspmrsmmbk.com/cendana/repository/how-to-hack-roblox-accounts-2021-easy_GM431946152.pdf
    • http://www.pspmrsmmbk.com/cendana//repository/how-to-host-a-minecraft-server-for-free_GM479516143.pdf
    • http://www.pspmrsmmbk.com/cendana//repository/coin-master-apk-hacked-3526_GM406889139.pdf
    • http://www.pspmrsmmbk.com/cendana/repository/how-to-get-free-spins-and-coins-in-coin-master_GM406889139.pdf
    • http://www.pspmrsmmbk.com/cendana/repository/is-windows-10-minecraft-free_GM479516143.pdf
    • http://www.pspmrsmmbk.com/cendana/repository/totally-free-coin-master-spins-2021_GM406889139.pdf
    • http://www.pspmrsmmbk.com/cendana/repository/coin-master-hacks-for-iphone_GM406889139.pdf
    • http://www.pspmrsmmbk.com/cendana/repository/get-free-coin-master-coins_GM406889139.pdf
    • http://www.pspmrsmmbk.com/cendana//repository/free-robux-no-human-verification-or-survey-or-download-2021_GM431946152.pdf
    • http://www.pspmrsmmbk.com/cendana//repository/new-free-spins-coin-master_GM406889139.pdf
    • http://www.pspmrsmmbk.com/cendana//repository/coin-master-70-spin-link-today_GM406889139.pdf
    • http://www.pspmrsmmbk.com/cendana/repository/free-limiteds-roblox_GM431946152.pdf
    • http://www.pspmrsmmbk.com/cendana//repository/minecraft-pe-mod-menu_GM479516143.pdf
    • http://www.pspmrsmmbk.com/cendana/repository/free-trading-bot-for-roblox_GM431946152.pdf
    • http://www.pspmrsmmbk.com/cendana/repository/free-robux-frebruary-2021_GM431946152.pdf
    • http://www.pspmrsmmbk.com/cendana//repository/roblox-redeem-card-codes-free_GM431946152.pdf
    • http://www.pspmrsmmbk.com/cendana/repository/roblox-free-vip-server_GM431946152.pdf
    • http://www.pspmrsmmbk.com/cendana//repository/coin-master-daily-free-spins-and-coins-link_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002aca.bin
7f6ac61196233babc8e48b414544e527116dba3b0a2afeb011c5e2849606b040		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2ACA 22700 bytes
font_01_sfnt_off00005da0.bin
4e7a40884b9d331bfc069e44422ce94ce724a2e3dc45f5fe58b7e0c82144aab6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5DA0 19320 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.