Malicious PDF — malware analysis report

Static analysis result for SHA-256 a9beb2b71c79926b…

MALICIOUS

PDF

36.2 KB Created: 2021-06-19 19:59:10 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 2c69842617e835981bbf7e43ade6b327 SHA-1: 104309eda98911359ef32d090b8888d29d7e897e SHA-256: a9beb2b71c79926bbf86770ec92e3b665481bcb6b068a89548a31bcacfd6ac0d
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains numerous embedded URLs and a "Robux Withdraw" lure, indicating a phishing or scam attempt. The ML classifier strongly flagged this PDF as malicious, and the presence of external links suggests it is designed to redirect users to download potentially harmful content. No scripts were extracted, but the overall structure and content point towards a malicious PDF designed for user deception.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/robux-withdraw-game-hack PDF link annotation
    • http://elearning.mtsmanbaulhuda.sch.id/__statics/gudangsoal/files/make-your-own-minecraft-server-free_GM479516143.pdfIn PDF document text
    • http://elearning.mtsmanbaulhuda.sch.id/__statics/gudangsoal/files/coin-master-hack-2021_GM406889139.pdfIn PDF document text
    • http://elearning.mtsmanbaulhuda.sch.id/__statics/gudangsoal/files/coin-master-daily-free-rewards_GM406889139.pdfIn PDF document text
    • http://elearning.mtsmanbaulhuda.sch.id/__statics/gudangsoal/files/tiktok-free-view-iphone-5c_GM835599320.pdfIn PDF document text
    • http://elearning.mtsmanbaulhuda.sch.id/__statics/gudangsoal/files/free-robux-android_GM431946152.pdfIn PDF document text
    • http://elearning.mtsmanbaulhuda.sch.id/__statics/gudangsoal/files/can-i-get-minecraft-for-free_GM479516143.pdfIn PDF document text
    • http://elearning.mtsmanbaulhuda.sch.id/__statics/gudangsoal/files/how-to-download-minecraft-for-free-on-windows-10_GM479516143.pdfIn PDF document text
    • http://elearning.mtsmanbaulhuda.sch.id/__statics/gudangsoal/files/how-to-get-minecraft-for-free-on-xbox_GM479516143.pdfIn PDF document text
    • http://elearning.mtsmanbaulhuda.sch.id/__statics/gudangsoal/files/free-robux-generator-2021-no-human-verification-or-survey_GM431946152.pdfIn PDF document text
    • http://elearning.mtsmanbaulhuda.sch.id/__statics/gudangsoal/files/roblox-hacker-cods-fr-redline_GM431946152.pdfIn PDF document text
    • http://elearning.mtsmanbaulhuda.sch.id/__statics/gudangsoal/files/coin-master-gold-cards-hack_GM406889139.pdfIn PDF document text
    • http://elearning.mtsmanbaulhuda.sch.id/__statics/gudangsoal/files/mcpe_GM479516143.pdfIn PDF document text
    • http://elearning.mtsmanbaulhuda.sch.id/__statics/gudangsoal/files/roblox-sexually_GM431946152.pdfIn PDF document text
    • http://elearning.mtsmanbaulhuda.sch.id/__statics/gudangsoal/files/free-25-robux-roblox_GM431946152.pdfIn PDF document text
    • http://elearning.mtsmanbaulhuda.sch.id/__statics/gudangsoal/files/coin-master-coins-free_GM406889139.pdfIn PDF document text
    • http://elearning.mtsmanbaulhuda.sch.id/__statics/gudangsoal/files/coin-master-hack-app-2021_GM406889139.pdfIn PDF document text
    • http://elearning.mtsmanbaulhuda.sch.id/__statics/gudangsoal/files/show-me-how-to-get-free-robux_GM431946152.pdfIn PDF document text
    • http://elearning.mtsmanbaulhuda.sch.id/__statics/gudangsoal/files/how-to-gift-robux-on-mobile_GM431946152.pdfIn PDF document text
    • http://elearning.mtsmanbaulhuda.sch.id/__statics/gudangsoal/files/coin-master-hack-pro_GM406889139.pdfIn PDF document text
    • http://elearning.mtsmanbaulhuda.sch.id/__statics/gudangsoal/files/coin-master-free-spins-heaven_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000033e7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x33E7 22740 bytes
SHA-256: 757756fae2244d23c0414e1e8ba6e8b5a8509d6e371801b7a9125dbfa5928e0d
font_01_sfnt_off0000671d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x671D 19476 bytes
SHA-256: de7b824c09f735eb534751a8b52ce9a3732249b778a238cd25bbd76ceacef318