Malicious PDF — malware analysis report

Static analysis result for SHA-256 6a77da0787198be4…

MALICIOUS

PDF

47.2 KB Created: 2021-05-17 19:02:05 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 4826578fb6843ec7817195ce792780a3 SHA-1: c7e18fda21c2297ffa06059f739581f2358d69a9 SHA-256: 6a77da0787198be4a5e9bfb7107936d53adde6184302e2d5cdf6ba78a837e8fc
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous embedded links, identified as a link farm, that point to websites offering game hacks and cheats. The ML classifier also flagged this PDF as malicious. The presence of these links suggests the document is designed to redirect users to potentially harmful sites, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8948

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/what-games-on-roblox-give-you-free-robux-game-hack
    • https://www.elearning.ma-alkhairiyah.sch.id/__statics/gudangsoal/files/hack-coin-master-game-apk_GM406889139.pdf
    • https://www.elearning.ma-alkhairiyah.sch.id/__statics/gudangsoal/files/minecraft-115-2-hacks_GM479516143.pdf
    • https://www.elearning.ma-alkhairiyah.sch.id/__statics/gudangsoal/files/roblox-how-to-get-free-clothes_GM431946152.pdf
    • https://www.elearning.ma-alkhairiyah.sch.id/__statics/gudangsoal/files/free-robux-human-verification_GM431946152.pdf
    • https://www.elearning.ma-alkhairiyah.sch.id/__statics/gudangsoal/files/coin-master-connection-lost_GM406889139.pdf
    • https://www.elearning.ma-alkhairiyah.sch.id/__statics/gudangsoal/files/no-human-verification_GM431946152.pdf
    • https://www.elearning.ma-alkhairiyah.sch.id/__statics/gudangsoal/files/how-to-hack-peoples-roblox-accounts_GM431946152.pdf
    • https://www.elearning.ma-alkhairiyah.sch.id/__statics/gudangsoal/files/how-to-get-free-robux-without-offers_GM431946152.pdf
    • https://www.elearning.ma-alkhairiyah.sch.id/__statics/gudangsoal/files/coin-master-32-mod-hack-apk-download_GM406889139.pdf
    • https://www.elearning.ma-alkhairiyah.sch.id/__statics/gudangsoal/files/coin-master-game-hack-version-download_GM406889139.pdf
    • https://www.elearning.ma-alkhairiyah.sch.id/__statics/gudangsoal/files/lazy-blocks-com-free-robux_GM431946152.pdf
    • https://www.elearning.ma-alkhairiyah.sch.id/__statics/gudangsoal/files/free-spins-coin-master-links-blogspot_GM406889139.pdf
    • https://www.elearning.ma-alkhairiyah.sch.id/__statics/gudangsoal/files/free-robux-codes-not-used_GM431946152.pdf
    • https://www.elearning.ma-alkhairiyah.sch.id/__statics/gudangsoal/files/hack-card-collection-coin-master_GM406889139.pdf
    • https://www.elearning.ma-alkhairiyah.sch.id/__statics/gudangsoal/files/how-to-get-free-robux-by-playing-games_GM431946152.pdf
    • https://www.elearning.ma-alkhairiyah.sch.id/__statics/gudangsoal/files/minecraft-reach-hack_GM479516143.pdf
    • https://www.elearning.ma-alkhairiyah.sch.id/__statics/gudangsoal/files/free-robux-generator-no-human-verification-2021_GM431946152.pdf
    • https://www.elearning.ma-alkhairiyah.sch.id/__statics/gudangsoal/files/can-you-actually-get-free-robux_GM431946152.pdf
    • https://www.elearning.ma-alkhairiyah.sch.id/__statics/gudangsoal/files/coinmaster-links_GM406889139.pdf
    • https://www.elearning.ma-alkhairiyah.sch.id/__statics/gudangsoal/files/roblox-free-robux-no-human-verification_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004cfd.bin
e9453d1b54f51d3105a0d8436288f8b9f1fd302e5f219a8828e3b9052beae4c3		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4CFD 26800 bytes
font_01_sfnt_off000088d2.bin
787e0768241fb57660bcc9c7f726cf687277c463cdf8c586c4782ee9d03c3606		 pdf-font-stream PDF embedded font (sfnt) at offset 0x88D2 2840 bytes
font_02_sfnt_off00009291.bin
d075b9cdfa29af0d09f3a3e5cc134cf400d7d34255e3ca0094b6ab529e7e4150		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9291 19440 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.