Malicious PDF — malware analysis report

Static analysis result for SHA-256 99a649644c96ad0c…

MALICIOUS

PDF

35.1 KB Created: 2021-07-09 18:31:22 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: e4fe1c6f4b2e1115dac70b3d92d14d09 SHA-1: bb84e2340a699b9f70f320e17f556cb5caba1837 SHA-256: 99a649644c96ad0cd174423ddd1a106542c35b336fb30f3093468d6815664ecd
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains numerous links to external websites, many of which are hosted on 'esmartdigitalcard.com' and promise free Robux or Coin Master spins, indicating a scam or phishing attempt. The heuristic 'PDF_SEO_LINK_FARM' further suggests a large number of such links. The ML classifier also flagged this PDF as malicious with high confidence. Although no scripts were explicitly extracted, the document's structure and embedded URLs strongly suggest it's designed to redirect users to potentially malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/406889139/coin-master-email-free-spins-game-hack
    • https://www.esmartdigitalcard.com/uploaded_files/userfiles/files/how-to-get-unlimited-robux_GM431946152.pdf
    • https://www.esmartdigitalcard.com/uploaded_files/userfiles/files/minecraft-pe-hack-client-ios_GM479516143.pdf
    • https://www.esmartdigitalcard.com/uploaded_files/userfiles/files/roblox-hacks-on-lumber-tycoon-robux_GM431946152.pdf
    • https://www.esmartdigitalcard.com/uploaded_files/userfiles/files/coin-master-facebook-free-spins_GM406889139.pdf
    • https://www.esmartdigitalcard.com/uploaded_files/userfiles/files/coin-master-villages_GM406889139.pdf
    • https://www.esmartdigitalcard.com/uploaded_files/userfiles/files/como-conseguir-monedas-infinitas-y-tiradas-de-coin-master-hack_GM406889139.pdf
    • https://www.esmartdigitalcard.com/uploaded_files/userfiles/files/roblox-cheatgg-safe_GM431946152.pdf
    • https://www.esmartdigitalcard.com/uploaded_files/userfiles/files/coin-master-redeem-code-free_GM406889139.pdf
    • https://www.esmartdigitalcard.com/uploaded_files/userfiles/files/roblox-catalog-free_GM431946152.pdf
    • https://www.esmartdigitalcard.com/uploaded_files/userfiles/files/how-to-get-free-followers-on-tiktok-without-verification_GM835599320.pdf
    • https://www.esmartdigitalcard.com/uploaded_files/userfiles/files/real-free-robux-generator_GM431946152.pdf
    • https://www.esmartdigitalcard.com/uploaded_files/userfiles/files/free-roblox-army-templats_GM431946152.pdf
    • https://www.esmartdigitalcard.com/uploaded_files/userfiles/files/free-robux-games-that-actually-work_GM431946152.pdf
    • https://www.esmartdigitalcard.com/uploaded_files/userfiles/files/roblox-hacks-2021-june_GM431946152.pdf
    • https://www.esmartdigitalcard.com/uploaded_files/userfiles/files/wil-they-cheat-roblox-thumbnail_GM431946152.pdf
    • https://www.esmartdigitalcard.com/uploaded_files/userfiles/files/how-do-u-get-free-robux-2021_GM431946152.pdf
    • https://www.esmartdigitalcard.com/uploaded_files/userfiles/files/medkit-free-robux_GM431946152.pdf
    • https://www.esmartdigitalcard.com/uploaded_files/userfiles/files/free-25-spins-coin-master-links_GM406889139.pdf
    • https://www.esmartdigitalcard.com/uploaded_files/userfiles/files/free-20210-robux-2021_GM431946152.pdf
    • https://www.esmartdigitalcard.com/uploaded_files/userfiles/files/how-do-u-get-robux_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003301.bin
77324f352f971d2f6bdb2f79632651e02ce0d4e15d7aa5d51035a19d960da58a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3301 22844 bytes
font_01_sfnt_off00006602.bin
857452a97ec4c8a0357fa4a60eb564765f702e021e296b9eb26375981d5eaeda		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6602 18508 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.