Malicious PDF — malware analysis report

Static analysis result for SHA-256 83011c470be5c335…

MALICIOUS

PDF

35.7 KB Created: 2021-07-09 18:59:43 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: a7f0f2fd442e9169046ad1c314caccab SHA-1: 031d1ec131805a3988111e0300a27dca56a56ad5 SHA-256: 83011c470be5c335dee5c7a86565d1d44f482d5441c8d962ebfaf9fefc7f6c67
142 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains numerous links to external resources, many of which are SEO-optimized PDF files hosted on elearning.mtsn5blitar.com, suggesting a link farm designed to attract users searching for game hacks. The presence of a direct URL to 'netcdn.tw' further indicates an attempt to redirect users to download applications. The ML classifier and heuristic firings strongly suggest malicious intent, likely involving the exploitation of PDF vulnerabilities to execute further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/431946152/free-robux-app-game-hack
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/how-to-hack-coin-master-pc_GM406889139.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/redline-roblox-hack-booga-booga_GM431946152.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/coin-master-rewards-free-spins_GM406889139.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/howt-to-hack-roblox-with-cmd_GM431946152.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/antiafk-roblox-hack-2021_GM431946152.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/free-robux-with-no-human-verification_GM431946152.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/how-to-get-minecraft-pe-for-free_GM479516143.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/can-i-get-free-robux_GM431946152.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/free-robux-hack-us_GM431946152.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/robux-today_GM431946152.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/spins-for-coin-master_GM406889139.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/free-robux-that-actually-works-2021_GM431946152.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/old-roblox-accounts-for-free_GM431946152.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/free-spins-for-coin-master-game_GM406889139.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/minecraft-games-free-download_GM479516143.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/how-to-get-free-robux-no-clickbait_GM431946152.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/coin-master-hack-8-ball-pool_GM406889139.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/minecraft-bedrock-for-free_GM479516143.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/free-coins-coin-master-link_GM406889139.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/how-do-you-get-free-robux-without-paying_GM431946152.pdf
    • https://elearning.mtsn5blitar.com/__stat
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000034d0.bin
8d2e9476487f14597ad5e8023d031457c74f3fb07a922c76148b96f252b133ff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x34D0 22740 bytes
font_01_sfnt_off000066f5.bin
98799f5422297995f0985cb1c378b21e0f8722881e70436717831cdef5a17d10		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66F5 18892 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.