Malicious PDF — malware analysis report

Static analysis result for SHA-256 98594f4419d5ad88…

MALICIOUS

PDF

46.6 KB Created: 2021-05-12 07:35:42 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 2d706f41f81dfa43f7086a64f3985bf8 SHA-1: dc29ffaf471931600589c1fc254fa033ba6ea5b2 SHA-256: 98594f4419d5ad882d1cb7f56649a30db709a5f17118cb7d922d45e24cd357cc
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded external links, many pointing to other PDFs hosted on the same IP address, indicating a link farm. The document body, though heavily obfuscated, contains references to 'Roblox Hack Me' and URLs related to free spins and game hacks, suggesting a lure for users seeking such content. The presence of a visual download button further supports the malicious intent of directing users to external resources.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8948

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/roblox-hack-me-game-hack
    • http://202.56.165.220/digilab/repository/free-coin-master-spins-without-human-verification_GM406889139.pdf
    • http://202.56.165.220/digilab/repository/how-to-get-free-robux-2021_GM431946152.pdf
    • http://202.56.165.220/digilab/repository/cute-free-hair-on-roblox_GM431946152.pdf
    • http://202.56.165.220/digilab/repository/play-minecraft-pocket-edition-for-free_GM479516143.pdf
    • http://202.56.165.220/digilab/repository/coin-master-hack-activegamer_GM406889139.pdf
    • http://202.56.165.220/digilab/repository/freespinandcoinblogspot-com-2021-11-coinmasterfreespins_GM406889139.pdf
    • http://202.56.165.220/digilab/repository/microsoft-roblox_GM431946152.pdf
    • http://202.56.165.220/digilab/repository/coin-master-unlimited-free-spins-link-2021_GM406889139.pdf
    • http://202.56.165.220/digilab/repository/how-to-get-free-unlimited-robux_GM431946152.pdf
    • http://202.56.165.220/digilab/repository/coin-master-free-link-blogspot_GM406889139.pdf
    • http://202.56.165.220/digilab/repository/mcpe-master-hack-unlimited-coins-download_GM406889139.pdf
    • http://202.56.165.220/digilab/repository/coin-master-hack-apk-link_GM406889139.pdf
    • http://202.56.165.220/digilab/repository/earn-free-robux-today_GM431946152.pdf
    • http://202.56.165.220/digilab/repository/free-robux-promo-codes-2021_GM431946152.pdf
    • http://202.56.165.220/digilab/repository/roblox-its-free_GM431946152.pdf
    • http://202.56.165.220/digilab/repository/free-modded-minecraft-server-hosting_GM479516143.pdf
    • http://202.56.165.220/digilab/repository/how-to-hack-someones-roblox-account_GM431946152.pdf
    • http://202.56.165.220/digilab/repository/minecraft-story-mode-free-download_GM479516143.pdf
    • http://202.56.165.220/digilab/repository/how-to-get-free-robux-hack-2021_GM431946152.pdf
    • http://202.56.165.220/digilab/repository/roblox-apocalypse-rising-hack_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004e0f.bin
b39944f63f2039ffb880187af8fe68979ac33bf66ee40f751ba1d95fe9a228f1		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4E0F 25600 bytes
font_01_sfnt_off000088e3.bin
415b8ca07467cc6b1d74ddc9a38943fb6d263a241d6e4db9f38ff3acab56a07a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x88E3 3000 bytes
font_02_sfnt_off00009333.bin
aef395c884b1121fa113f915db4056a7b0027cd471dc4d96a5cdd03c50f60cf3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9333 18376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.