Malicious PDF — malware analysis report

Static analysis result for SHA-256 a658b1c53402daa4…

MALICIOUS

PDF

35.2 KB Created: 2021-06-30 09:40:27 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: f3b73bab7d8205401f414c35009cf90f SHA-1: 335b60fdc7c470f8505c8a921321dc080377d011 SHA-256: a658b1c53402daa4f103941da43f29662af96e053c66a51b6b5eb4480a590232
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document exhibits characteristics of a malicious lure, specifically employing a link farm strategy to direct users to external sites promising game cheats like "Robuxs Hack" or "Coin Master Free Spin". The presence of numerous SEO-optimized PDF links, coupled with the ML classifier's high confidence, strongly suggests an intent to exploit user interest in these topics for malicious purposes, likely leading to further malware downloads or phishing attempts.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/robuxs-hack-no-survey-and-no-user-id-game-hack
    • http://www.qandqsafety.com/uploaded_files/userfiles/files/how-do-you-hack-roblox_GM431946152.pdf
    • http://www.qandqsafety.com/uploaded_files/userfiles/files/coin-master-free-spin-realme-products_GM406889139.pdf
    • http://www.qandqsafety.com/uploaded_files/userfiles/files/how-do-you-get-free-roblox_GM431946152.pdf
    • http://www.qandqsafety.com/uploaded_files/userfiles/files/free-robux-generator-2021_GM431946152.pdf
    • http://www.qandqsafety.com/uploaded_files/userfiles/files/how-to-get-free-robux-no-human-verification-2021_GM431946152.pdf
    • http://www.qandqsafety.com/uploaded_files/userfiles/files/get-free-spins-on-coin-master_GM406889139.pdf
    • http://www.qandqsafety.com/uploaded_files/userfiles/files/free-roblox-gui-place_GM431946152.pdf
    • http://www.qandqsafety.com/uploaded_files/userfiles/files/roblox-fun-com-free-robux_GM431946152.pdf
    • http://www.qandqsafety.com/uploaded_files/userfiles/files/free-robux-games_GM431946152.pdf
    • http://www.qandqsafety.com/uploaded_files/userfiles/files/adopt-me-roblox-hacks_GM431946152.pdf
    • http://www.qandqsafety.com/uploaded_files/userfiles/files/coin-master-spin-hack-without-verification_GM406889139.pdf
    • http://www.qandqsafety.com/uploaded_files/userfiles/files/roblox-jail-break-hacker-vs-noob-vs-pro_GM431946152.pdf
    • http://www.qandqsafety.com/uploaded_files/userfiles/files/roblox-hacked-com-2021_GM431946152.pdf
    • http://www.qandqsafety.com/uploaded_files/userfiles/files/how-to-get-free-coins-on-coin-master_GM406889139.pdf
    • http://www.qandqsafety.com/uploaded_files/userfiles/files/hackear-roblox-robux-gratis_GM431946152.pdf
    • http://www.qandqsafety.com/uploaded_files/userfiles/files/free-robux-no-verification-at-all_GM431946152.pdf
    • http://www.qandqsafety.com/uploaded_files/userfiles/files/coin-master-hack-2021-without-verification_GM406889139.pdf
    • http://www.qandqsafety.com/uploaded_files/userfiles/files/coin-master-free-spins-and-coins-today_GM406889139.pdf
    • http://www.qandqsafety.com/uploaded_files/userfiles/files/how-to-cheat-money-into-roblox-high-school_GM431946152.pdf
    • http://www.qandqsafety.com/uploaded_files/userfiles/files/prison-break-roblox-cheats_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003303.bin
30f105a99ba8d10381e4d5a394a5ad32729b301126cefd8841fa048899facc42		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3303 22220 bytes
font_01_sfnt_off00006403.bin
05f8d4ef6ae9180aa5b41a803bfb688ffa8f074a8a5cfd3d0febee9d8f15395d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6403 19188 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.