Malicious PDF — malware analysis report

Static analysis result for SHA-256 7fde278d41585990…

MALICIOUS

PDF

45.1 KB Created: 2021-06-09 14:25:22 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: a9e2131985f997d9b9a850e299fd73f4 SHA-1: 068015babe67a4386b201b4f42a4dbbfa8ca635b SHA-256: 7fde278d4158599063233825e271e1bceed3d9944cc33e70e68a50e957e3f304
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous heuristics indicating malicious intent, including a link farm and a fake CAPTCHA lure. The document body and extracted URLs point to the download of further malicious PDFs, likely to trick users into executing malware. The presence of embedded JavaScript, though not directly analyzed here, is a common vector for such attacks.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9865

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.tw/app/431946152/how-to-hack-other-roblox-account-game-hack
    • http://111.68.26.74/widyapustaka/repository/easy-coin-master-hack-without-verification_GM406889139.pdf
    • http://111.68.26.74/widyapustaka/repository/how-to-get-minecraft-windows-10-for-free-2021_GM479516143.pdf
    • http://111.68.26.74/widyapustaka/repository/how-to-hack-coin-master_GM406889139.pdf
    • http://111.68.26.74/widyapustaka/repository/minecraft-bedrock-hacks_GM479516143.pdf
    • http://111.68.26.74/widyapustaka/repository/minecraft-hacked-client-bedrock_GM479516143.pdf
    • http://111.68.26.74/widyapustaka/repository/free-spins-coin-master-site-wwwquoracom_GM406889139.pdf
    • http://111.68.26.74/widyapustaka/repository/free-draw-2-alpha-roblox_GM431946152.pdf
    • http://111.68.26.74/widyapustaka/repository/free-robux-scams-malware-wikia_GM431946152.pdf
    • http://111.68.26.74/widyapustaka/repository/free-robux-no-verification-2021_GM431946152.pdf
    • http://111.68.26.74/widyapustaka/repository/grabpoints-robux_GM431946152.pdf
    • http://111.68.26.74/widyapustaka/repository/coin-master-free-spins-ios-app_GM406889139.pdf
    • http://111.68.26.74/widyapustaka/repository/how-to-get-free-robux-guava-juice_GM431946152.pdf
    • http://111.68.26.74/widyapustaka/repository/daily-free-spins-for-coin-master_GM406889139.pdf
    • http://111.68.26.74/widyapustaka/repository/coin-master-daily-free-spins-link-today-blog_GM406889139.pdf
    • http://111.68.26.74/widyapustaka/repository/how-to-get-roblox-money_GM431946152.pdf
    • http://111.68.26.74/widyapustaka/repository/coin-master-hack-version-apk-download_GM406889139.pdf
    • http://111.68.26.74/widyapustaka/repository/pig-master-free-spins-and-coins_GM406889139.pdf
    • http://111.68.26.74/widyapustaka/repository/robuxy-com-free-robux_GM431946152.pdf
    • http://111.68.26.74/widyapustaka/repository/free-coin-master-coins-and-spins_GM406889139.pdf
    • http://111.68.26.74/widyapustaka/repository/how-to-get-free-robux-easy-on-phone_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00004f7e.bin
0fbb4c8b12cee4b41364ce4b3e9c1753ceb78826e2a62e75c1bd2a66d0e01ca3		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4F7E 26852 bytes
font_01_sfnt_off00008c4f.bin
738bd73574dcc30f57428954cc606aba977a169b3987fef5fc7f3312bc80529d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8C4F 18756 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.