Malicious PDF — malware analysis report

Static analysis result for SHA-256 732e5c26d7d1ff7c…

MALICIOUS

PDF

34.5 KB Created: 2021-07-04 15:21:15 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: c0d809651c9498b86e20a173b5131ea8 SHA-1: 3a0fb1cabdf00b21624e9bc3ab496402a4a9dea2 SHA-256: 732e5c26d7d1ff7c8101cb22e6c2b74eb38a22753273b7b66f3815fdd298b117
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains numerous links to external websites, many of which are hosted on an IP address and promise free Robux or game hacks. This indicates a phishing or scam attempt designed to trick users into downloading malicious files. The heuristic 'PDF_SEO_LINK_FARM' suggests a large number of these links were generated programmatically to appear as legitimate search results, further supporting the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/431946152/free-robux-for-kids-game-hack
    • http://118.98.227.172/opac/repository/is-minecraft-dungeons-free_GM479516143.pdf
    • http://118.98.227.172/opac/repository/wie-kann-man-ihn-roblox-hacken_GM431946152.pdf
    • http://118.98.227.172/opac/repository/free-vip-server-jailbreak-roblox_GM431946152.pdf
    • http://118.98.227.172/opac/repository/aristois-minecraft-hack_GM479516143.pdf
    • http://118.98.227.172/opac/repository/free-robux-that-actually-works_GM431946152.pdf
    • http://118.98.227.172/opac/repository/how-do-you-get-free-robux-no-vidio_GM431946152.pdf
    • http://118.98.227.172/opac/repository/flame-gg-free-robux_GM431946152.pdf
    • http://118.98.227.172/opac/repository/how-to-not-get-hacked-on-roblox_GM431946152.pdf
    • http://118.98.227.172/opac/repository/how-to-create-t-shirts-in-roblox-for-free_GM431946152.pdf
    • http://118.98.227.172/opac/repository/free-spins-on-coin-master-game_GM406889139.pdf
    • http://118.98.227.172/opac/repository/free-spin-coin-master-game_GM406889139.pdf
    • http://118.98.227.172/opac/repository/roblox-how-to-hack-gravity-with-cheat-engine_GM431946152.pdf
    • http://118.98.227.172/opac/repository/how-to-hack-into-your-account-on-roblox_GM431946152.pdf
    • http://118.98.227.172/opac/repository/how-to-hack-a-roblox-account-with-inspect-element-2021_GM431946152.pdf
    • http://118.98.227.172/opac/repository/hack-give-robux_GM431946152.pdf
    • http://118.98.227.172/opac/repository/free-robux-place_GM431946152.pdf
    • http://118.98.227.172/opac/repository/anti-ban-and-kick-cheat-roblox-2021_GM431946152.pdf
    • http://118.98.227.172/opac/repository/how-to-hack-a-roblox-account-with-roblosecurity-cookie_GM431946152.pdf
    • http://118.98.227.172/opac/repository/www-roblox-cheatus-limited-edition_GM431946152.pdf
    • http://118.98.227.172/opac/repository/roblox-redeem-robux_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003020.bin
1ddf2bf3db74c87e5efdd049d7d59e55a7dfe836664ec6c70b3e3bddfe8f61c4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3020 22324 bytes
font_01_sfnt_off000061c4.bin
afbbc6672e5e67d3d08182cb82f0154e2527ac7a9675429207b3e1307e5db0cb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x61C4 19012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.