Malicious PDF — malware analysis report

Static analysis result for SHA-256 62eca2cd94dddaaa…

MALICIOUS

PDF

34.9 KB Created: 2021-06-28 15:06:52 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: f56df43716e69b3ed000fd904e0fc29a SHA-1: c8ce4b96e2284efc420c25222832cd6b5cc15e9a SHA-256: 62eca2cd94dddaaaae2387a8a439b14a1c877629bb9aa07cace0fac4dd86219c
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains numerous embedded URLs and a document body that promotes game cheats and hacks, indicating a lure for users to download potentially malicious content. The PDF_SEO_LINK_FARM heuristic suggests a large number of external links, likely for SEO manipulation or to host further malicious content. While no scripts were explicitly extracted, the nature of the embedded URLs and the ML classifier's high confidence score point towards a malicious intent, likely to deliver a second-stage payload or lead users to phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/cheat-codes-for-roblox-royale-high-android-game-hack
    • http://www.tamimaudit.com/uploaded_files/userfiles/files/how-can-i-get-free-robux_GM431946152.pdf
    • http://www.tamimaudit.com/uploaded_files/userfiles/files/free-roblox-accounts-2021-with-robux_GM431946152.pdf
    • http://www.tamimaudit.com/uploaded_files/userfiles/files/is-java-minecraft-free_GM479516143.pdf
    • http://www.tamimaudit.com/uploaded_files/userfiles/files/impact-minecraft-hack_GM479516143.pdf
    • http://www.tamimaudit.com/uploaded_files/userfiles/files/roblox-money-hack-no-download_GM431946152.pdf
    • http://www.tamimaudit.com/uploaded_files/userfiles/files/free-robux-hack-no-human-verification_GM431946152.pdf
    • http://www.tamimaudit.com/uploaded_files/userfiles/files/how-to-play-roblox-for-free_GM431946152.pdf
    • http://www.tamimaudit.com/uploaded_files/userfiles/files/minecraft-cracked-client_GM479516143.pdf
    • http://www.tamimaudit.com/uploaded_files/userfiles/files/coin-master-hack-tool-v1-9-download_GM406889139.pdf
    • http://www.tamimaudit.com/uploaded_files/userfiles/files/free-robux-games-that-actually-work_GM431946152.pdf
    • http://www.tamimaudit.com/uploaded_files/userfiles/files/free-robux-no-survey-or-human-verification_GM431946152.pdf
    • http://www.tamimaudit.com/uploaded_files/userfiles/files/coin-master-unlimited-free-spins_GM406889139.pdf
    • http://www.tamimaudit.com/uploaded_files/userfiles/files/free-cracked-minecraft-server-hosting_GM479516143.pdf
    • http://www.tamimaudit.com/uploaded_files/userfiles/files/free-robux-without-human-verification-real_GM431946152.pdf
    • http://www.tamimaudit.com/uploaded_files/userfiles/files/how-to-hack-a-roblox-accout_GM431946152.pdf
    • http://www.tamimaudit.com/uploaded_files/userfiles/files/free-robux-codes-no-verification-2021_GM431946152.pdf
    • http://www.tamimaudit.com/uploaded_files/userfiles/files/haktuts-2021-coin-master-free-spin-link_GM406889139.pdf
    • http://www.tamimaudit.com/uploaded_files/userfiles/files/how-to-hack-peoples-roblox-accounts_GM431946152.pdf
    • http://www.tamimaudit.com/uploaded_files/userfiles/files/how-to-download-minecraft-for-free-on-pc_GM479516143.pdf
    • http://www.tamimaudit.com/uploaded_files/userfiles/files/eran-robux-free-robux-vrobux-com-ytb_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000030ae.bin
c220eca47f8140e38afde80be22df6814504f3df3d693b8966a59e5fad446a67		 pdf-font-stream PDF embedded font (sfnt) at offset 0x30AE 22272 bytes
font_01_sfnt_off0000623f.bin
0cc64a997ef71518685801f814652c92a2b2fc219afcf4ccc190b2dac1a968cf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x623F 19392 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.