Malicious PDF — malware analysis report

Static analysis result for SHA-256 68052af31bc22492…

MALICIOUS

PDF

48.3 KB Created: 2021-05-11 05:38:36 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 426ee71a27bd6c66b397452412e3bbf7 SHA-1: 42e26dd4b0a7403b1f7118a38331015f7f7c91c9 SHA-256: 68052af31bc224925b40df9b3843d55f0a3137f96a6d612c844e72bf3484b994
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous links to external websites, many of which are presented as "hacked clients" or "free spins" for popular games, indicating a lure for potentially unwanted or malicious software downloads. The ML classifier strongly flagged this PDF as malicious, and the presence of a large number of external links further supports a malicious intent. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9013

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/minecraft-windows-10-hacked-client-game-hack
    • https://esl.hess.com.tw/image/data/files/coin-master-hack-unlimited-spins-game-download_GM406889139.pdf
    • https://esl.hess.com.tw/image/data/files/get-free-robux-without-doing-anything_GM431946152.pdf
    • https://esl.hess.com.tw/image/data/files/roblox-free-robux-hack_GM431946152.pdf
    • https://esl.hess.com.tw/image/data/files/how-to-get-minecraft-windows-10-for-free-2021_GM479516143.pdf
    • https://esl.hess.com.tw/image/data/files/roblox-hacked-version-download_GM431946152.pdf
    • https://esl.hess.com.tw/image/data/files/robux-generator-com_GM431946152.pdf
    • https://esl.hess.com.tw/image/data/files/coin-master-sound-daily-free-spins-link-today_GM406889139.pdf
    • https://esl.hess.com.tw/image/data/files/how-to-play-minecraft-for-free-on-pc_GM479516143.pdf
    • https://esl.hess.com.tw/image/data/files/minecraft-items_GM479516143.pdf
    • https://esl.hess.com.tw/image/data/files/coin-master-hack-apk-download-latest-version_GM406889139.pdf
    • https://esl.hess.com.tw/image/data/files/how-do-we-get-free-robux_GM431946152.pdf
    • https://esl.hess.com.tw/image/data/files/free-minecraft-skins-girl_GM479516143.pdf
    • https://esl.hess.com.tw/image/data/files/coin-master-free-spins-link-2021-hack_GM406889139.pdf
    • https://esl.hess.com.tw/image/data/files/minecraft-bedrock-download_GM479516143.pdf
    • https://esl.hess.com.tw/image/data/files/free-spin-coin-master-app-download_GM406889139.pdf
    • https://esl.hess.com.tw/image/data/files/coin-master-deals_GM406889139.pdf
    • https://esl.hess.com.tw/image/data/files/coin-master-hack-no-verification_GM406889139.pdf
    • https://esl.hess.com.tw/image/data/files/free-spin-link-coin-master-today_GM406889139.pdf
    • https://esl.hess.com.tw/image/data/files/how-to-get-free-robux-easy-hack_GM431946152.pdf
    • https://esl.hess.com.tw/image/data/files/download-coin-master-hack-mod-apk_GM406889139.pdf
    • https://playhack.in/minecraft
    • https://youtu
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004bad.bin
28e945fcaa201152fd31d141b8b3b2288d3ba4c01d9e73d842bcd87ce0c58261		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4BAD 29548 bytes
font_01_sfnt_off00008daa.bin
36b567300ddd12ae2c06e1737e472b7bc1cd94223cb3cf4c6606a5734a5e5e7b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8DAA 3224 bytes
font_02_sfnt_off000098d9.bin
f9a71ab68452ae4ccd094805e59123059ba28481ac44c73a337d9a6d18fc1d00		 pdf-font-stream PDF embedded font (sfnt) at offset 0x98D9 18768 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.