Malicious PDF — malware analysis report

Static analysis result for SHA-256 9e6b516b4f48f883…

MALICIOUS

PDF

37.6 KB Created: 2021-07-04 20:31:52 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-11-21
MD5: edc94a44c4df7083f4ef4d56716237ea SHA-1: 000f8461c8c8913d9506d71871fe49a169125819 SHA-256: 9e6b516b4f48f8830ede881cd8d330424a10011e7c04b611e0e79d067ead62bb
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains multiple embedded links, with a primary link pointing to a known malicious redirector. The document body and heuristics suggest a lure for game-related cheats or generators, likely leading to malware download. No scripts were extracted, but the presence of malicious links and the lure indicate a phishing or social engineering attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • PDF links to a 'free generator / game hack' redirector critical PDF_GAME_HACK_REDIRECT_LURE
    PDF's clickable action targets a redirector of the form /app/<id>/<slug>-game-hack — the landing-page shape of a large SEO 'free spins / generator / game hack' lure family that funnels victims through rotating disposable hosts to a malware/scam payload. The multi-link variants also trip ML/link-farm rules; this catches the single-link variants that otherwise score clean. CRITICAL on its own: the /app/<id>/<slug>-game-hack path shape is unambiguous scam infra, and the host rotates so a host-list match can't be relied on.
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/431946152/robux-free-com-game-hack In PDF document text
    • http://www.elearning.mtsn2ska.sch.id/__statics/gudangsoal/files/master-free-spin_GM406889139.pdfIn PDF document text
    • http://www.elearning.mtsn2ska.sch.id/__statics/gudangsoal/files/cheat-roblox-retail-tycoon-2021_GM431946152.pdfIn PDF document text
    • https://elearning.mtsn2ska.sch.id/__statics/gudangsoal/files/free-catalog-roblox-2021_GM431946152.pdfIn PDF document text
    • https://elearning.mtsn2ska.sch.id/__statics/gudangsoal/files/neon-hacks-roblox-account-generator_GM431946152.pdfIn PDF document text
    • http://www.elearning.mtsn2ska.sch.id/__statics/gudangsoal/files/free-modded-minecraft-server-hosting_GM479516143.pdfIn PDF document text
    • https://elearning.mtsn2ska.sch.id/__statics/gudangsoal/files/tokyo-ghoul-project-killzone-roblox-cheat_GM431946152.pdfIn PDF document text
    • http://www.elearning.mtsn2ska.sch.id/__statics/gudangsoal/files/tiktok-free-fans_GM835599320.pdfIn PDF document text
    • http://www.elearning.mtsn2ska.sch.id/__statics/gudangsoal/files/roblox-hacks-exploits-2021_GM431946152.pdfIn PDF document text
    • http://www.elearning.mtsn2ska.sch.id/__statics/gudangsoal/files/free-on-roblox_GM431946152.pdfIn PDF document text
    • http://www.elearning.mtsn2ska.sch.id/__statics/gudangsoal/files/free-10-robux-no-human-verification_GM431946152.pdfIn PDF document text
    • http://www.elearning.mtsn2ska.sch.id/__statics/gudangsoal/files/roblox-free-shirts-2021_GM431946152.pdfIn PDF document text
    • http://www.elearning.mtsn2ska.sch.id/__statics/gudangsoal/files/coin-monster_GM406889139.pdfIn PDF document text
    • https://elearning.mtsn2ska.sch.id/__statics/gudangsoal/files/free-robux-not-fake_GM431946152.pdfIn PDF document text
    • http://www.elearning.mtsn2ska.sch.id/__statics/gudangsoal/files/how-to-get-free-robux-without-verification_GM431946152.pdfIn PDF document text
    • https://elearning.mtsn2ska.sch.id/__statics/gudangsoal/files/btools-hack-pastebin-roblox_GM431946152.pdfIn PDF document text
    • http://www.elearning.mtsn2ska.sch.id/__statics/gudangsoal/files/free-minecraft-videos_GM479516143.pdfIn PDF document text
    • http://www.elearning.mtsn2ska.sch.id/__statics/gudangsoal/files/free-minecraft-pe-server_GM479516143.pdfIn PDF document text
    • http://www.elearning.mtsn2ska.sch.id/__statics/gudangsoal/files/free-mod-apk-coin-master_GM406889139.pdfIn PDF document text
    • http://www.elearning.mtsn2ska.sch.id/__statics/gudangsoal/files/coin-master-daily-free-spins-link_GM406889139.pdfIn PDF document text
    • https://elearning.mtsn2ska.sch.id/__statics/gudangsoal/files/roblox-cheat-engine-hack-admin_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003c16.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3C16 22580 bytes
SHA-256: c884b820b80866efeefda146a108b9224861c2d6ce8a67842b38b77eda614ab7
font_01_sfnt_off00006e94.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6E94 18976 bytes
SHA-256: fb86ad1aad47c5a5c5fa913efd771066ff8edf92cff8bf075126ed023f1935f6