Malicious PDF — malware analysis report

Static analysis result for SHA-256 a48871f2d13cd0bc…

MALICIOUS

PDF

35.6 KB Created: 2021-06-27 16:52:26 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 51878ee3b98fe2443e286e0f6b12b287 SHA-1: 7c421b9dee3ba43db5471808222d9e609399af86 SHA-256: a48871f2d13cd0bc6cdd73a9f81f529ad920b0f5dbb5df0fdd980f65760bafa0
142 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file contains a large number of embedded links pointing to other PDFs, many of which are hosted on the IP address 103.68.2.77. The document body and embedded links suggest a lure for free in-game currency and exploits, likely a phishing or scam attempt. The ML classifier and PDF URI heuristics strongly indicate malicious intent, likely leading to further exploitation or malware download.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/how-to-exploit-on-roblox-without-cheat-engine-game-hack PDF link annotation
    • http://103.68.2.77/__statics/gudangsoal/files/free-robux-without-verification-2021_GM431946152.pdfPDF link annotation
    • http://103.68.2.77/__statics/gudangsoal/files/how-do-you-get-free-robux-2021_GM431946152.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/coin-master-codes_GM406889139.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/daily-coin-master-free-spin-link_GM406889139.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/download-apk-tiktok-free_GM835599320.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/a-hack-gift-card-on-roblox_GM431946152.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/soporte-para-reportar-hacks-roblox_GM431946152.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/how-to-hack-someones-roblox-account-2021_GM431946152.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/how-to-get-free-robux-on-phone-2021_GM431946152.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/how-to-hack-coin-master-facebook_GM406889139.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/free-minecraft-games-for-kids_GM479516143.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/get-your-free-robux-for-roblox_GM431946152.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/roblox-free-robux-website_GM431946152.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/claim-free-robux_GM431946152.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/roblox-cheat-for-rocitzens_GM431946152.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/how-to-get-more-robux-for-free_GM431946152.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/cheat-engine-63-roblox-tycoon-hacks_GM431946152.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/minecraft-app-free-download_GM479516143.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/coin-master-free-2021-spin-link_GM406889139.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/how-to-make-a-minecraft-server-for-free-java_GM479516143.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003281.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3281 22532 bytes
SHA-256: afe851797e55e69f294af65c948dc9336b1c8473ec4b8ab252be2095860443c6
font_01_sfnt_off000064bc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x64BC 19556 bytes
SHA-256: 6afa0b6383c70693049499b16d89ebdb7a504ff5b61863f83cd1b24467f1109b