Malicious PDF — malware analysis report

Static analysis result for SHA-256 6404d2b15b13bfef…

MALICIOUS

PDF

35.5 KB Created: 2021-06-20 09:48:54 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 0691726eee69d2ad0ec9947ef438d67b SHA-1: 6a9752715906aacba30e78d64bd1093545034dbe SHA-256: 6404d2b15b13bfef2c74f838fcd8037cdaa4b3832c1dd50fbbf9f08e7a2db8f4
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains numerous links, including a primary malicious URL hosted on netcdn.co, disguised as a guide on hacking online games. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of external links, many of which are likely part of a link farm to manipulate search engine results or distribute malicious content. The ML classifier strongly flagged this PDF as malicious, supporting the conclusion that it is designed to lead users to harmful websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/how-to-hack-people-on-roblox-game-hack
    • https://www.christchurch-burton.staffs.sch.uk/admin/ckfinder/userfiles/files/free-custom-minecraft-skins_GM479516143.pdf
    • https://www.christchurch-burton.staffs.sch.uk/admin/ckfinder/userfiles/files/hack-master-coin_GM406889139.pdf
    • https://www.christchurch-burton.staffs.sch.uk/admin/ckfinder/userfiles/files/bux-life-free-robux_GM431946152.pdf
    • https://www.christchurch-burton.staffs.sch.uk/admin/ckfinder/userfiles/files/how-to-get-free-robux-without-verification-2021_GM431946152.pdf
    • https://www.christchurch-burton.staffs.sch.uk/admin/ckfinder/userfiles/files/free-spin-and-daily-news-coin-master_GM406889139.pdf
    • https://www.christchurch-burton.staffs.sch.uk/admin/ckfinder/userfiles/files/robux-generator-no-verification-needed_GM431946152.pdf
    • https://www.christchurch-burton.staffs.sch.uk/admin/ckfinder/userfiles/files/coin-master-free-attack-link_GM406889139.pdf
    • https://www.christchurch-burton.staffs.sch.uk/admin/ckfinder/userfiles/files/optifine-mcpe_GM479516143.pdf
    • https://www.christchurch-burton.staffs.sch.uk/admin/ckfinder/userfiles/files/robux-games_GM431946152.pdf
    • https://www.christchurch-burton.staffs.sch.uk/admin/ckfinder/userfiles/files/free-robux-codes-generator-no-verification_GM431946152.pdf
    • https://www.christchurch-burton.staffs.sch.uk/admin/ckfinder/userfiles/files/free-robux-generator-for-roblox-2021_GM431946152.pdf
    • https://www.christchurch-burton.staffs.sch.uk/admin/ckfinder/userfiles/files/free-robux-hack-fr_GM431946152.pdf
    • https://www.christchurch-burton.staffs.sch.uk/admin/ckfinder/userfiles/files/free-daily-spins-coin-master_GM406889139.pdf
    • https://www.christchurch-burton.staffs.sch.uk/admin/ckfinder/userfiles/files/how-to-hack-m-coins-mcpe-master_GM406889139.pdf
    • https://www.christchurch-burton.staffs.sch.uk/admin/ckfinder/userfiles/files/free-hacks-for-coin-master_GM406889139.pdf
    • https://www.christchurch-burton.staffs.sch.uk/admin/ckfinder/userfiles/files/coin-master-free-spins-april-2021_GM406889139.pdf
    • https://www.christchurch-burton.staffs.sch.uk/admin/ckfinder/userfiles/files/coin-master-free-spins-1-coin-master_GM406889139.pdf
    • https://www.christchurch-burton.staffs.sch.uk/admin/ckfinder/userfiles/files/free-robux-generator-2021-no-human-verification-real_GM431946152.pdf
    • https://www.christchurch-burton.staffs.sch.uk/admin/ckfinder/userfiles/files/how-to-get-free-roebucks-without-verification_GM431946152.pdf
    • https://www.christchurch-burton.staffs.sch.uk/admin/ckfinder/userfiles/files/how-to-send-free-spins-on-coin-master_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003442.bin
4d81b4a38d84a2e573e44ad7610a77f9c9e3808eea59ba5bdf015d061cf79236		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3442 22228 bytes
font_01_sfnt_off00006586.bin
0496404f34f461102572dff09184c0b6082fd286070dd383a6badfad3968c72e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6586 19148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.