Malicious PDF — malware analysis report

Static analysis result for SHA-256 9bcd3bfaf5d36fde…

MALICIOUS

PDF

45.9 KB Created: 2021-05-19 13:03:53 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 2804c1d250291b24c36a6a60c5749004 SHA-1: 74a9758d6c0042b873e5b310d54c72b58cff3cf4 SHA-256: 9bcd3bfaf5d36fde38ea6b865f72ee45df530c2ae158e79aef562ce20c81d631
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a large number of external links, many of which point to game-related cheats and hacks, suggesting a lure for users seeking such content. The presence of a "download button" heuristic and the ML classifier's high confidence score indicate malicious intent. The document's primary purpose appears to be directing users to external sites that likely host further malicious content or scams.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/free-roblox-accounts-with-robux-that-work-not-banned-2021-game-hack
    • http://m-sv.net/images/toolbox-for-minecraft-pe-mod-apk_GM479516143.pdf
    • http://m-sv.net/images/2021-no-human-verification-hack-for-coin-master_GM406889139.pdf
    • http://m-sv.net/images/how-to-get-free-robux-without-downloading-apps_GM431946152.pdf
    • http://m-sv.net/images/coin-master-attack-block-hack_GM406889139.pdf
    • http://m-sv.net/images/coin-master-promo-code-2021_GM406889139.pdf
    • http://m-sv.net/images/daily-free-spins-coin-master_GM406889139.pdf
    • http://m-sv.net/images/free-robux-generator_GM431946152.pdf
    • http://m-sv.net/images/sites-for-free-spins-for-coin-master_GM406889139.pdf
    • http://m-sv.net/images/hack-coin-master-game-download_GM406889139.pdf
    • http://m-sv.net/images/free-robux-no-verification-2021-ios_GM431946152.pdf
    • http://m-sv.net/images/how-to-earn-free-stars-on-coin-master_GM406889139.pdf
    • http://m-sv.net/images/earn-robux-for-roblox_GM431946152.pdf
    • http://m-sv.net/images/minecraft-pe-apk-free-download_GM479516143.pdf
    • http://m-sv.net/images/block-best-robux_GM431946152.pdf
    • http://m-sv.net/images/easy-ways-to-get-free-robux_GM431946152.pdf
    • http://m-sv.net/images/best-free-hacked-client_GM479516143.pdf
    • http://m-sv.net/images/hack-coin-master-android-game_GM406889139.pdf
    • http://m-sv.net/images/free-spin-coin-master-twitter_GM406889139.pdf
    • http://m-sv.net/images/free-spin-today-coin-master_GM406889139.pdf
    • http://m-sv.net/images/coin-master-hack-apk-2021-download_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004afc.bin
173359c2406070f6ff3256645d69020c5c8c7cdb30fc7515e8a3b9af3dc03d00		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4AFC 28472 bytes
font_01_sfnt_off00008d0d.bin
72c791ad1c4340ed85ac0ecdba514e35635851f3f818d4a167a4eafc97bf1d2a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8D0D 19652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.