Malicious PDF — malware analysis report

Static analysis result for SHA-256 898ead903418483c…

MALICIOUS

PDF

41.7 KB Created: 2021-05-19 00:32:30 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: f211da69a52c7ededc5926c454a55f92 SHA-1: 752d3fa8a923fe7d3e32603dffb74b93ad44cfd1 SHA-256: 898ead903418483c69976d85210de0320b8dd789a1b2bf1f4bab010cb12c40c4
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a large number of external links, many of which appear to be part of a link farm designed for SEO manipulation. The ML classifier also flagged this PDF as malicious. While no scripts were explicitly extracted, the presence of embedded URLs and the heuristic firings suggest a malicious intent to redirect users to potentially harmful content or phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9971

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/coin-master-free-spins-link-blogspot-game-hack
    • http://mittlenberg.ch/images/coin-master-free-spins-save_GM406889139.pdf
    • http://mittlenberg.ch/images/coinmaster-links_GM406889139.pdf
    • http://mittlenberg.ch/images/coin-master-free-spins-link-blogspot-april-2021_GM406889139.pdf
    • http://mittlenberg.ch/images/coin-master-golden-cards-hack_GM406889139.pdf
    • http://mittlenberg.ch/images/how-to-get-free-spins-on-coin-master_GM406889139.pdf
    • http://mittlenberg.ch/images/how-to-hack-a-roblox-account-2021_GM431946152.pdf
    • http://mittlenberg.ch/images/what-is-exploiting-in-roblox_GM431946152.pdf
    • http://mittlenberg.ch/images/instantrobux_GM431946152.pdf
    • http://mittlenberg.ch/images/unlimited-free-spins-coin-master_GM406889139.pdf
    • http://mittlenberg.ch/images/coin-master-free-spins-and-coins-daily-links_GM406889139.pdf
    • http://mittlenberg.ch/images/pro-free-spins-coin-master_GM406889139.pdf
    • http://mittlenberg.ch/images/easy-robux-hack_GM431946152.pdf
    • http://mittlenberg.ch/images/coin-master-heaven-links_GM406889139.pdf
    • http://mittlenberg.ch/images/roblox-rape_GM431946152.pdf
    • http://mittlenberg.ch/images/how-to-play-coin-master_GM406889139.pdf
    • http://mittlenberg.ch/images/coin-master-spin-hack_GM406889139.pdf
    • http://mittlenberg.ch/images/coin-master-hack-tool-pc_GM406889139.pdf
    • http://mittlenberg.ch/images/coin-master-free-coins_GM406889139.pdf
    • http://mittlenberg.ch/images/coin-master-free-spin-ml_GM406889139.pdf
    • http://mittlenberg.ch/images/coin-master-free-download-app_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off0000487b.bin
007608ac78913efdad9b664993886d41b0dfe6c4586abe2bc649af6c114d4cff		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x487B 24228 bytes
font_01_sfnt_off00007f8a.bin
bdbf3986ec68ee3b496ae89412d1d0f392e3b826f1ca321ec58289079c9e4546		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F8A 18632 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.