Malicious PDF — malware analysis report

Static analysis result for SHA-256 6c1c14f1fd165d6d…

MALICIOUS

PDF

44.9 KB Created: 2021-05-17 15:49:02 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: f63e5e9be214e6818a28edf28f3b1ce2 SHA-1: 8fece8c383e1f3c8e2835906e53c36fc56d18dd7 SHA-256: 6c1c14f1fd165d6d95bb1793ac6f7f9aa3a507368786f899e1b5a682c93ba986
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains numerous external links, many of which appear to be part of an SEO link farm. The ML classifier strongly indicated maliciousness, and the presence of a "download button" heuristic suggests a deceptive user interface. The primary goal seems to be directing users to potentially malicious or spammy websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9632

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/coin-master-free-soins-game-hack
    • https://elearning.mtsn5bojonegoro.sch.id/__statics/gudangsoal/files/roblox-pink-free-robux_GM431946152.pdf
    • https://elearning.mtsn5bojonegoro.sch.id/__statics/gudangsoal/files/how-to-get-minecraft-pe-for-free_GM479516143.pdf
    • https://elearning.mtsn5bojonegoro.sch.id/__statics/gudangsoal/files/how-to-get-free-robux-without-email_GM431946152.pdf
    • https://elearning.mtsn5bojonegoro.sch.id/__statics/gudangsoal/files/free-robux-no-verify_GM431946152.pdf
    • https://elearning.mtsn5bojonegoro.sch.id/__statics/gudangsoal/files/how-to-get-free-things-on-roblox_GM431946152.pdf
    • https://elearning.mtsn5bojonegoro.sch.id/__statics/gudangsoal/files/coin-master-free-spins-no-verification_GM406889139.pdf
    • https://elearning.mtsn5bojonegoro.sch.id/__statics/gudangsoal/files/coin-master-200-spin-link_GM406889139.pdf
    • https://elearning.mtsn5bojonegoro.sch.id/__statics/gudangsoal/files/coin-master-free-spins-link-2021-march_GM406889139.pdf
    • https://elearning.mtsn5bojonegoro.sch.id/__statics/gudangsoal/files/coin-master-free-2021-spin-link_GM406889139.pdf
    • https://elearning.mtsn5bojonegoro.sch.id/__statics/gudangsoal/files/how-to-get-free-spins-on-coin-master-iphone_GM406889139.pdf
    • https://elearning.mtsn5bojonegoro.sch.id/__statics/gudangsoal/files/free-robux-codes-2021-real_GM431946152.pdf
    • https://elearning.mtsn5bojonegoro.sch.id/__statics/gudangsoal/files/how-to-hack-roblox-accounts-2021_GM431946152.pdf
    • https://elearning.mtsn5bojonegoro.sch.id/__statics/gudangsoal/files/free-coins-coin-master-link_GM406889139.pdf
    • https://elearning.mtsn5bojonegoro.sch.id/__statics/gudangsoal/files/how-to-get-free-robux-on-chromebook_GM431946152.pdf
    • https://elearning.mtsn5bojonegoro.sch.id/__statics/gudangsoal/files/free-coins-and-spins-coin-master-2021_GM406889139.pdf
    • https://elearning.mtsn5bojonegoro.sch.id/__statics/gudangsoal/files/rbx-sites_GM431946152.pdf
    • https://elearning.mtsn5bojonegoro.sch.id/__statics/gudangsoal/files/free-robux-obby-2021_GM431946152.pdf
    • https://elearning.mtsn5bojonegoro.sch.id/__statics/gudangsoal/files/coin-master-free-spins-and-coins-link-today_GM406889139.pdf
    • https://elearning.mtsn5bojonegoro.sch.id/__statics/gudangsoal/files/coin-master-free-spins-app_GM406889139.pdf
    • https://elearning.mtsn5bojonegoro.sch.id/__statics/gudangsoal/files/coin-master-free-coins-link-2021_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004c56.bin
d682227b1ff948d507f109941b093b33dc7dc95f2c5d87fa6e8e587562009652		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4C56 24972 bytes
font_01_sfnt_off000084cb.bin
10d025f04f706eb71cdda4f99784df1b9ccb52e48080e43095e0398eaef6f132		 pdf-font-stream PDF embedded font (sfnt) at offset 0x84CB 2880 bytes
font_02_sfnt_off00008eb6.bin
a621fa0cf6ecf429ccb0e9762dad0d1971a2824e8730eca88621f5efe7e14995		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8EB6 17712 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.