Malicious PDF — malware analysis report

Static analysis result for SHA-256 996466ae48c5fc84…

MALICIOUS

PDF

42.6 KB Created: 2021-05-15 07:33:52 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: a4ae7e60eaf8da20a8fdfabe43fdb000 SHA-1: c3071a7846603377d90e79d5f6ae57219f992307 SHA-256: 996466ae48c5fc843f3a1930ce8bc874f94de47e7cf7ae28530cbe3f331510a8
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a large number of external links, many of which are related to game cheats and hacks, indicating a link farm or phishing attempt. The ML classifier also flagged the PDF as malicious. The embedded URLs and the document body suggest the intent is to redirect users to potentially malicious websites for game-related exploits.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9971

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/free-coin-link-coin-master-game-hack
    • http://vagency.us/images/how-you-get-free-robux_GM431946152.pdf
    • http://vagency.us/images/how-to-get-hacks-on-minecraft_GM479516143.pdf
    • http://vagency.us/images/robux-hack-no-human-verification_GM431946152.pdf
    • http://vagency.us/images/get-free-spins-coin-master-october-2021_GM406889139.pdf
    • http://vagency.us/images/free-robux-please_GM431946152.pdf
    • http://vagency.us/images/real-free-robux-generator_GM431946152.pdf
    • http://vagency.us/images/minecraft-free-download-no-virus_GM479516143.pdf
    • http://vagency.us/images/rewards-robux_GM431946152.pdf
    • http://vagency.us/images/coin-master-hack-tool-2021_GM406889139.pdf
    • http://vagency.us/images/free-robux-clothes_GM431946152.pdf
    • http://vagency.us/images/free-robux-no-verification-at-all_GM431946152.pdf
    • http://vagency.us/images/free-robux-without-human-verification_GM431946152.pdf
    • http://vagency.us/images/coin-master-claim-free-spins_GM406889139.pdf
    • http://vagency.us/images/free-google-play-promo-codes-coin-master_GM406889139.pdf
    • http://vagency.us/images/coin-master-hacks-no-human-verification_GM406889139.pdf
    • http://vagency.us/images/coin-master-daily-free-spins-link-2021_GM406889139.pdf
    • http://vagency.us/images/how-to-hack-minecraft_GM479516143.pdf
    • http://vagency.us/images/free-coins-and-spins-in-coin-master_GM406889139.pdf
    • http://vagency.us/images/free-robux-generator-for-roblox-2021_GM431946152.pdf
    • http://vagency.us/images/free-robux-generator-without-human-verification_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004a2b.bin
87bf97e9e375b13976c2f158d5dfeb8a6584e345719b1d78f2561d9763f7d034		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4A2B 25784 bytes
font_01_sfnt_off0000856c.bin
0625e4176a7f53d001741f6455d720615efffd3608056e1f92d89c9c6799a538		 pdf-font-stream PDF embedded font (sfnt) at offset 0x856C 17880 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.