Malicious PDF — malware analysis report

Static analysis result for SHA-256 a4308d922e8a1e0d…

MALICIOUS

PDF

43.2 KB Created: 2021-05-10 22:33:51 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 4248b1fa7344314f9790aacb65cefd06 SHA-1: 72e0140e9966e442082183fe7815bce186b52bac SHA-256: a4308d922e8a1e0d0c4edcbf618fa3babcc4082cdd414fd852f9897b7e1d158c
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains multiple links to external resources, many of which are algorithmically generated and point to files offering 'free Robux' or 'Coin Master spins'. The ML classifier strongly indicates maliciousness, and the presence of these lures suggests an attempt to trick users into downloading further malicious content. No scripts were extracted, but the PDF structure itself facilitates the redirection to these potentially harmful URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9969

Heuristics 4

  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/como-hack-coin-master-game-hack
    • http://cpsad.adturekorea.co.kr/newboard/_upload/userfiles/files/free-robux-codes-2021-real_GM431946152.pdf
    • http://cpsad.adturekorea.co.kr/newboard/_upload/userfiles/files/free-robux-generator-2021-no-human-verification-or-survey_GM431946152.pdf
    • http://cpsad.adturekorea.co.kr/newboard/_upload/userfiles/files/coin-master-free-stuff_GM406889139.pdf
    • http://cpsad.adturekorea.co.kr/newboard/_upload/userfiles/files/free-robux-only-username-no-human-verification_GM431946152.pdf
    • http://cpsad.adturekorea.co.kr/newboard/_upload/userfiles/files/free-spins-for-coin-master_GM406889139.pdf
    • http://cpsad.adturekorea.co.kr/newboard/_upload/userfiles/files/free-robux-generator-without-verification_GM431946152.pdf
    • http://cpsad.adturekorea.co.kr/newboard/_upload/userfiles/files/free-robux-without-verification-or-survey_GM431946152.pdf
    • http://cpsad.adturekorea.co.kr/newboard/_upload/userfiles/files/blox-pink-robux-free_GM431946152.pdf
    • http://cpsad.adturekorea.co.kr/newboard/_upload/userfiles/files/coin-master-hack-without-verification-code_GM406889139.pdf
    • http://cpsad.adturekorea.co.kr/newboard/_upload/userfiles/files/real-free-spins-for-coin-master_GM406889139.pdf
    • http://cpsad.adturekorea.co.kr/newboard/_upload/userfiles/files/how-to-get-stuff-that-cost-coins-free-mcpe-master_GM406889139.pdf
    • http://cpsad.adturekorea.co.kr/newboard/_upload/userfiles/files/legit-free-spins-coin-master_GM406889139.pdf
    • http://cpsad.adturekorea.co.kr/newboard/_upload/userfiles/files/coin-master-cheat-free_GM406889139.pdf
    • http://cpsad.adturekorea.co.kr/newboard/_upload/userfiles/files/freespinandcoinblogspotcom-2021-11-coinmasterfreespinandcoinlinkshtml_GM406889139.pdf
    • http://cpsad.adturekorea.co.kr/newboard/_upload/userfiles/files/coin-master-free-daily-spins-link_GM406889139.pdf
    • http://cpsad.adturekorea.co.kr/newboard/_upload/userfiles/files/free-minecraft-java-edition-codes_GM479516143.pdf
    • http://cpsad.adturekorea.co.kr/newboard/_upload/userfiles/files/get-more-robux_GM431946152.pdf
    • http://cpsad.adturekorea.co.kr/newboard/_upload/userfiles/files/links-for-coin-master-free-spins_GM406889139.pdf
    • http://cpsad.adturekorea.co.kr/newboard/_upload/userfiles/files/game-coin-master-hack_GM406889139.pdf
    • http://cpsad.adturekorea.co.kr/newboard/_upload/userfiles/files/microsoft-bing-free-robux_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004e19.bin
66412e3fd0948039cd067dad6c6b4546fbb2866769943d910b4fb4fc445ef3e1		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4E19 25248 bytes
font_01_sfnt_off0000877e.bin
eca04fc04629eb008e0887f2535dd17ec15003b382c7de749ac8db6c10868975		 pdf-font-stream PDF embedded font (sfnt) at offset 0x877E 17976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.