Malicious PDF — malware analysis report

Static analysis result for SHA-256 6bf3ac56d305c512…

MALICIOUS

PDF

49.0 KB Created: 2021-06-11 01:46:27 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 77308dd6ddcb1dda155b2392a5f66939 SHA-1: 6b2322f5774cc80241a7dfe3eec0b0badf976f1d SHA-256: 6bf3ac56d305c512285f3d8597100a71c8cb3e033f745feaa5185a71098c3b7d
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous embedded links to external websites, many of which are structured as SEO-optimized links to game-related cheat pages. The presence of a download button lure and the ML classifier's high confidence score indicate a malicious intent to direct users to potentially harmful content. The document's primary function appears to be acting as a link farm for game hacks, likely to distribute malware or phish for credentials.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9796

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.tw/app/431946152/hack-roblox-money-2021-game-hack
    • http://lib.bppsdmp.pertanian.go.id/ciawi/repository/coin-master-daily-free-spin-and-coin_GM406889139.pdf
    • http://lib.bppsdmp.pertanian.go.id/main/repository/free-spins-coin-master-unlimited_GM406889139.pdf
    • http://lib.bppsdmp.pertanian.go.id/main/repository/free-spins-on-coin-master-2021-ios_GM406889139.pdf
    • http://lib.bppsdmp.pertanian.go.id/kupang/repository/how-to-get-free-robux-no-human-verification-2021_GM431946152.pdf
    • http://lib.bppsdmp.pertanian.go.id/ciawi/repository/pubg-8-uc_GM1330123889.pdf
    • http://lib.bppsdmp.pertanian.go.id/main/repository/coin-master-free-spins-hack-download_GM406889139.pdf
    • http://lib.bppsdmp.pertanian.go.id/ciawi/repository/hack-exploit-roblox-2021_GM431946152.pdf
    • http://lib.bppsdmp.pertanian.go.id/kupang/repository/wizard-hacks_GM479516143.pdf
    • http://lib.bppsdmp.pertanian.go.id/main/repository/how-to-get-frre-robux-hack_GM431946152.pdf
    • http://lib.bppsdmp.pertanian.go.id/ciawi/repository/free-coins-spins-on-coin-master_GM406889139.pdf
    • http://lib.bppsdmp.pertanian.go.id/main/repository/coin-master-fan-hack_GM406889139.pdf
    • http://lib.bppsdmp.pertanian.go.id/kupang/repository/free-tiktok-accounts-with-2021-fans_GM835599320.pdf
    • http://lib.bppsdmp.pertanian.go.id/main/repository/coin-master-daily-free-spins-haktuts_GM406889139.pdf
    • http://lib.bppsdmp.pertanian.go.id/kupang/repository/how-to-get-free-teeth-in-sharkbite-roblox-2021_GM431946152.pdf
    • http://lib.bppsdmp.pertanian.go.id/ciawi/repository/coin-master-hack-progamers_GM406889139.pdf
    • http://lib.bppsdmp.pertanian.go.id/main/repository/how-to-hack-roblox-accounts-for-robux_GM431946152.pdf
    • http://lib.bppsdmp.pertanian.go.id/kupang/repository/free-coins-coin-master-link-2021_GM406889139.pdf
    • http://lib.bppsdmp.pertanian.go.id/ciawi/repository/pokemon-go-free-no-download_GM1094591345.pdf
    • http://lib.bppsdmp.pertanian.go.id/kupang/repository/how-to-hack-a-roblox-account-2021-ios_GM431946152.pdf
    • http://lib.bppsdmp.pertanian.go.id/ciawi/repository/break-free-ariana-grande-roblox_GM431946152.pdf
    • https://www.bandicam.com
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00005189.bin
6e92a56b71181aeeac37376218caf19e5d99b9524e4cb296f4751f627dc8a9f9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5189 26984 bytes
font_01_sfnt_off0000902f.bin
cd7e117580342c0a942c71837478e64d19f57605f7eb16894baf6d7329238b79		 pdf-font-stream PDF embedded font (sfnt) at offset 0x902F 3032 bytes
font_02_sfnt_off00009aaf.bin
75421a1a7ff58a299ebee5267a9d0ca89b312251c10dd0e26e93fa33b6f98ab1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9AAF 18960 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.