Malicious PDF — malware analysis report

Static analysis result for SHA-256 91e1c2c2f79b2444…

MALICIOUS

PDF

33.4 KB Created: 2021-06-26 16:33:33 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: b23c8f9fc6d0436b658378b1abdcd8d8 SHA-1: 6af064d15a36d7439f1bfd896d78a42dd5dff5c3 SHA-256: 91e1c2c2f79b2444fdb28602f7354ff508b455ed6966335c3638b9b8510aa869
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains numerous embedded URLs, many of which are structured as a link farm for SEO purposes, pointing to pages offering 'free Robux' or game cheats. The ML classifier strongly flagged this PDF as malicious, and the presence of external URIs suggests an attempt to redirect the user to a malicious site, likely for credential harvesting or malware download. No scripts were extracted, but the overall structure and heuristic firings indicate a phishing or scam attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9824

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/robux-hack-201-game-hack
    • http://pustaka.ditjenpkh.pertanian.go.id/pusvetma/repository/free-roblox-account-generator-with-robux_GM431946152.pdf
    • http://pustaka.ditjenpkh.pertanian.go.id/pusvetma/repository/how-do-you-get-free-food-in-coin-master_GM406889139.pdf
    • http://pustaka.ditjenpkh.pertanian.go.id/pusvetma/repository/how-to-get-free-robux-without-verification_GM431946152.pdf
    • http://pustaka.ditjenpkh.pertanian.go.id/pusvetma/repository/wahoo-gaming-roblox-free-robux_GM431946152.pdf
    • http://pustaka.ditjenpkh.pertanian.go.id/pusvetma/repository/roblox-q-to-speedhack-script-hack_GM431946152.pdf
    • http://pustaka.ditjenpkh.pertanian.go.id/pusvetma/repository/free-minecraft-hosting-24-7_GM479516143.pdf
    • http://pustaka.ditjenpkh.pertanian.go.id/pusvetma/repository/roblox-free-jacket_GM431946152.pdf
    • http://pustaka.ditjenpkh.pertanian.go.id/pusvetma/repository/blue-maverick-hoodie-roblox-free_GM431946152.pdf
    • http://pustaka.ditjenpkh.pertanian.go.id/pusvetma/repository/final-stand-roblox-cheat_GM431946152.pdf
    • http://pustaka.ditjenpkh.pertanian.go.id/pusvetma/repository/hi2-to-earn-free-robux-today_GM431946152.pdf
    • http://pustaka.ditjenpkh.pertanian.go.id/pusvetma/repository/how-to-get-free-robux-ant_GM431946152.pdf
    • http://pustaka.ditjenpkh.pertanian.go.id/pusvetma/repository/hack-for-rpg-world-on-roblox_GM431946152.pdf
    • http://pustaka.ditjenpkh.pertanian.go.id/pusvetma/repository/roblox-robux-hack-2021-ios_GM431946152.pdf
    • http://pustaka.ditjenpkh.pertanian.go.id/pusvetma/repository/free-griffin-code-roblox-adopt_GM431946152.pdf
    • http://pustaka.ditjenpkh.pertanian.go.id/pusvetma/repository/pokemon-go-free-game-online_GM1094591345.pdf
    • http://pustaka.ditjenpkh.pertanian.go.id/pusvetma/repository/master-coin-free-spin-daily_GM406889139.pdf
    • http://pustaka.ditjenpkh.pertanian.go.id/pusvetma/repository/60-free-spins-coin-master_GM406889139.pdf
    • http://pustaka.ditjenpkh.pertanian.go.id/pusvetma/repository/free-robux-groups-2021_GM431946152.pdf
    • http://pustaka.ditjenpkh.pertanian.go.id/pusvetma/repository/free-robux-website_GM431946152.pdf
    • http://pustaka.ditjenpkh.pertanian.go.id/pusvetma/repository/roblox-free-robux-codes_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002b03.bin
45bdfc61a60966b0a79338a1ad465e819b2e04c9fd2115f20216b9249a4479f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2B03 22648 bytes
font_01_sfnt_off00005d9b.bin
a01abce438ace15ff0d22223d5cc83267d648dadbc6e7de58085c68645cb2558		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D9B 19124 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.