Malicious PDF — malware analysis report

Static analysis result for SHA-256 740d6fb49345e84a…

MALICIOUS

PDF

47.5 KB Created: 2021-06-06 23:27:23 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 7e02f5bbea55850d328d5e154e1aa6c0 SHA-1: 51d91a762b249c9cb9b8ec864a55a486106a6886 SHA-256: 740d6fb49345e84a407ca821d3263254c56b90facb222a8a42453c76626cb657
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains numerous external links, many of which appear to be part of an SEO link farm strategy, likely to redirect users to malicious sites or download pages. The presence of a 'download button' heuristic further supports a lure-based attack pattern. While no scripts were explicitly extracted, the ML classifier and the link farm heuristic strongly indicate malicious intent, possibly involving exploitation or the delivery of further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9769

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.tw/app/431946152/blaze-games-co-free-robux-game-hack PDF link annotation
    • http://ptts.pl/images/minecraft-116-1-download_GM479516143.pdfIn PDF document text
    • http://ptts.pl/images/get-pokemon-go-free-coins_GM1094591345.pdfIn PDF document text
    • http://ptts.pl/images/coin-master-free-mighty-lion-card_GM406889139.pdfIn PDF document text
    • http://ptts.pl/images/how-to-get-free-coins-on-coin-master-2021_GM406889139.pdfIn PDF document text
    • http://ptts.pl/images/minecraft-texture-packs-free-download_GM479516143.pdfIn PDF document text
    • http://ptts.pl/images/show-me-how-to-get-free-robux_GM431946152.pdfIn PDF document text
    • http://ptts.pl/images/coin-master-free-spins-cheat_GM406889139.pdfIn PDF document text
    • http://ptts.pl/images/coin-master-hack-2021-no-survey_GM406889139.pdfIn PDF document text
    • http://ptts.pl/images/how-to-get-minecraft-for-free-on-iphone-2021_GM479516143.pdfIn PDF document text
    • http://ptts.pl/images/hack-coin-master-spin-apk_GM406889139.pdfIn PDF document text
    • http://ptts.pl/images/how-to-hack-roblox-accounts-2021_GM431946152.pdfIn PDF document text
    • http://ptts.pl/images/can-you-evolve-trade-pokemon-without-trading_GM1094591345.pdfIn PDF document text
    • http://ptts.pl/images/coin-master-hack_GM406889139.pdfIn PDF document text
    • http://ptts.pl/images/oprewards-com-roblox_GM431946152.pdfIn PDF document text
    • http://ptts.pl/images/roblox-free-play_GM431946152.pdfIn PDF document text
    • http://ptts.pl/images/gain-robux_GM431946152.pdfIn PDF document text
    • http://ptts.pl/images/clothes-that-are-free-on-roblox_GM431946152.pdfIn PDF document text
    • http://ptts.pl/images/coin-master-free-link-2021_GM406889139.pdfIn PDF document text
    • http://ptts.pl/images/how-to-earn-robux-for-free-2021_GM431946152.pdfIn PDF document text
    • http://ptts.pl/images/coin-master-hack-twitter_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00005037.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5037 24968 bytes
SHA-256: afb25454dca3c0e5f8a5d6a6346295c00821d83ea05530c210d3ae2fdc5543f2
font_01_sfnt_off0000899d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x899D 3464 bytes
SHA-256: 8e24205afdd13dcdea98f8150ef77dee4030e0e50a7c748783d1b4598e034a20
font_02_sfnt_off000095d2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x95D2 18656 bytes
SHA-256: af532387990def6f6ba8826cfe9bcd99f22596a4b3dc2bca4739acfec8d93017

Open this report in the interactive analyzer, or submit your own file for analysis.