Malicious PDF — malware analysis report

Static analysis result for SHA-256 5e8318d4e13c53dc…

MALICIOUS

PDF

35.8 KB Created: 2021-06-26 13:11:47 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: a3be3aaee2b254382a46d416b670065b SHA-1: 1ce56e366c092775935d98ef0d7207c9159213f8 SHA-256: 5e8318d4e13c53dc5c8c53fa04cd8915440089adea089c8ae02ba324e077948f
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains numerous links to external websites, many of which are hosted on domains related to game hacks and free in-game currency. The ML classifier and PDF heuristics strongly indicate malicious intent, likely to trick users into downloading malware or visiting malicious sites. The presence of a "download button" lure further supports this. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/how-to-get-catalog-items-for-free-free-robux-game-hack
    • https://www.intercraftgallery.com/uploaded_files/userfiles/files/hack-para-canbiare-el-nombre-en-roblox_GM431946152.pdf
    • https://www.intercraftgallery.com/uploaded_files/userfiles/files/arts-78-roblox-hack_GM431946152.pdf
    • https://www.intercraftgallery.com/uploaded_files/userfiles/files/free-spins-from-coin-master_GM406889139.pdf
    • https://www.intercraftgallery.com/uploaded_files/userfiles/files/how-do-i-hack-roblox-free-robux_GM431946152.pdf
    • https://www.intercraftgallery.com/uploaded_files/userfiles/files/how-to-get-free-robux-without-human-verification_GM431946152.pdf
    • https://www.intercraftgallery.com/uploaded_files/userfiles/files/how-to-get-free-robux-and-fast_GM431946152.pdf
    • https://www.intercraftgallery.com/uploaded_files/userfiles/files/coin-master-free-spins-link-2021_GM406889139.pdf
    • https://www.intercraftgallery.com/uploaded_files/userfiles/files/how-to-get-free-robux-on-roblox-2021-easy_GM431946152.pdf
    • https://www.intercraftgallery.com/uploaded_files/userfiles/files/heists-roblox-hack_GM431946152.pdf
    • https://www.intercraftgallery.com/uploaded_files/userfiles/files/how-to-get-free-robux-on-pc-2021_GM431946152.pdf
    • https://www.intercraftgallery.com/uploaded_files/userfiles/files/roblox-aimbot-dll-hack_GM431946152.pdf
    • https://www.intercraftgallery.com/uploaded_files/userfiles/files/how-to-earn-free-robux-quick_GM431946152.pdf
    • https://www.intercraftgallery.com/uploaded_files/userfiles/files/demolition-crew-roblox-hack_GM431946152.pdf
    • https://www.intercraftgallery.com/uploaded_files/userfiles/files/free-robux-2021-youtube_GM431946152.pdf
    • https://www.intercraftgallery.com/uploaded_files/userfiles/files/hack-commands-for-roblox_GM431946152.pdf
    • https://www.intercraftgallery.com/uploaded_files/userfiles/files/how-to-get-free-roblox-clothes-2021_GM431946152.pdf
    • https://www.intercraftgallery.com/uploaded_files/userfiles/files/roblox-walk-through-walls-hack-2021_GM431946152.pdf
    • https://www.intercraftgallery.com/uploaded_files/userfiles/files/give-me-robux-free_GM431946152.pdf
    • https://www.intercraftgallery.com/uploaded_files/userfiles/files/how-to-get-the-kitsune-for-free-roblox-farm-world_GM431946152.pdf
    • https://www.intercraftgallery.com/uploaded_files/userfiles/files/how-to-get-free-robux-without-downloading-anything_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003312.bin
39042a9864efc6ff650c4c6e7e5cf6633acaf091f6ad0338adcfdd314419c0ab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3312 22880 bytes
font_01_sfnt_off0000664a.bin
7e7a46eb4a747fb6d54dd3d51d7a59e1903d8329b14c2dcf5a6f24665b29ef3b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x664A 19320 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.