Malicious PDF — malware analysis report

Static analysis result for SHA-256 71da78259d612393…

MALICIOUS

PDF

36.4 KB Created: 2021-06-27 13:29:33 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 3dd2c78a71538b1cdb8b895c3cc9ab4b SHA-1: e1eed6d1c6e02920c742308a5cb75ae559bcfcb7 SHA-256: 71da78259d6123935abacbb66d228cf5717e4b328b16d1bee13bc17d2dca2c44
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains numerous embedded links, many of which are disguised as offers for free Robux or Coin Master spins. The ML classifier and the PDF_SEO_LINK_FARM heuristic strongly indicate malicious intent, likely to redirect users to phishing or malware download sites. The presence of a visual download button further supports this lure-based attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/free-robux-pro-tv-game-hack
    • https://pariwisata.denpasarkota.go.id/new/public/ckfinder/userfiles/files/blogger-coin-master-free-spins_GM406889139.pdf
    • https://pariwisata.denpasarkota.go.id/new/public/ckfinder/userfiles/files/3-games-that-will-give-you-free-robux_GM431946152.pdf
    • https://pariwisata.denpasarkota.go.id/new/public/ckfinder/userfiles/files/coin-master-free-coins-link-blogspot_GM406889139.pdf
    • https://pariwisata.denpasarkota.go.id/new/public/ckfinder/userfiles/files/pixies-gigantic-coin-master-free-spins-and-coins_GM406889139.pdf
    • https://pariwisata.denpasarkota.go.id/new/public/ckfinder/userfiles/files/martian-lettuce-coin-master-free_GM406889139.pdf
    • https://pariwisata.denpasarkota.go.id/new/public/ckfinder/userfiles/files/how-to-get-500-billion-robux-hack-2021_GM431946152.pdf
    • https://pariwisata.denpasarkota.go.id/new/public/ckfinder/userfiles/files/how-to-actually-get-free-robux_GM431946152.pdf
    • https://pariwisata.denpasarkota.go.id/new/public/ckfinder/userfiles/files/roblox-hack-2021-robux-free_GM431946152.pdf
    • https://pariwisata.denpasarkota.go.id/new/public/ckfinder/userfiles/files/coin-master-spin-hack-app_GM406889139.pdf
    • https://pariwisata.denpasarkota.go.id/new/public/ckfinder/userfiles/files/free-daily-spins-from-coin-master_GM406889139.pdf
    • https://pariwisata.denpasarkota.go.id/new/public/ckfinder/userfiles/files/how-to-get-free-robux-really-fast_GM431946152.pdf
    • https://pariwisata.denpasarkota.go.id/new/public/ckfinder/userfiles/files/lumber-tycoon-2-hacked-roblox_GM431946152.pdf
    • https://pariwisata.denpasarkota.go.id/new/public/ckfinder/userfiles/files/free-robux-2021-19-pastebin_GM431946152.pdf
    • https://pariwisata.denpasarkota.go.id/new/public/ckfinder/userfiles/files/how-to-hack-roblox-gta-5_GM431946152.pdf
    • https://pariwisata.denpasarkota.go.id/new/public/ckfinder/userfiles/files/coin-master-hack-app-ios_GM406889139.pdf
    • https://pariwisata.denpasarkota.go.id/new/public/ckfinder/userfiles/files/earn-robux-today_GM431946152.pdf
    • https://pariwisata.denpasarkota.go.id/new/public/ckfinder/userfiles/files/roblox-hack-me_GM431946152.pdf
    • https://pariwisata.denpasarkota.go.id/new/public/ckfinder/userfiles/files/minecraft-pocket-apk_GM479516143.pdf
    • https://pariwisata.denpasarkota.go.id/new/public/ckfinder/userfiles/files/facebook-coin-master-free-spins-link_GM406889139.pdf
    • https://pariwisata.denpasarkota.go.id/new/public/ckfinder/userfiles/files/gaming-dunia-coin-master-free-spins_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003710.bin
8c8aa3a6c82eb3a79541952ad4f15cd49dd58e886b41da8dad9846290226d055		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3710 22680 bytes
font_01_sfnt_off000069b4.bin
c19a450ef1826679ee42db65a61c50c59a03b59f7ede7f7f59be94e3e9479c79		 pdf-font-stream PDF embedded font (sfnt) at offset 0x69B4 18984 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.