Malicious PDF — malware analysis report

Static analysis result for SHA-256 b28b5a5dc17636ed…

MALICIOUS

PDF

35.3 KB Created: 2021-07-09 12:02:12 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 9f026cc1f0a2f40df3d5f3b69e2d61d3 SHA-1: daa7f1de8f22052e35355297d9e9e9ec4f1a3558 SHA-256: b28b5a5dc17636ed3ff31d0d8abd710c528478843284f5b09cb5cec3b18a1b89
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous external links, many of which are SEO-optimized and point to files offering game hacks and cheats. The ML classifier strongly indicates maliciousness, and the document body explicitly mentions 'Free Tiktok Views Trial' and includes URLs for downloading 'hacks'. This suggests the document is designed to trick users into downloading malware or visiting malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/835599320/free-tiktok-views-trial-game-hack
    • http://multiconfianca.com.br/ckfinder/userfiles/files/robux-hack-without-human-verification_GM431946152.pdf
    • http://multiconfianca.com.br/ckfinder/userfiles/files/free-roblox-rs_GM431946152.pdf
    • http://multiconfianca.com.br/ckfinder/userfiles/files/coin-master-daily-free-rewards_GM406889139.pdf
    • http://multiconfianca.com.br/ckfinder/userfiles/files/fly-hack-roblox-mac_GM431946152.pdf
    • http://multiconfianca.com.br/ckfinder/userfiles/files/how-can-you-get-robux_GM431946152.pdf
    • http://multiconfianca.com.br/ckfinder/userfiles/files/coin-master-hack-2021-apk-download_GM406889139.pdf
    • http://multiconfianca.com.br/ckfinder/userfiles/files/how-to-get-10-million-free-robux_GM431946152.pdf
    • http://multiconfianca.com.br/ckfinder/userfiles/files/how-to-hack-map-kat-roblox_GM431946152.pdf
    • http://multiconfianca.com.br/ckfinder/userfiles/files/blogspot-free-spins-coin-master_GM406889139.pdf
    • http://multiconfianca.com.br/ckfinder/userfiles/files/hat-free-roblox_GM431946152.pdf
    • http://multiconfianca.com.br/ckfinder/userfiles/files/free-robux-no-verification-2021-android_GM431946152.pdf
    • http://multiconfianca.com.br/ckfinder/userfiles/files/how-to-hack-roblox-accounts_GM431946152.pdf
    • http://multiconfianca.com.br/ckfinder/userfiles/files/free-spin-in-coin-master_GM406889139.pdf
    • http://multiconfianca.com.br/ckfinder/userfiles/files/free-robux-without-downloading-anything_GM431946152.pdf
    • http://multiconfianca.com.br/ckfinder/userfiles/files/free-spins-and-coins-on-coin-master_GM406889139.pdf
    • http://multiconfianca.com.br/ckfinder/userfiles/files/get-free-robux-generator-no-human-verification_GM431946152.pdf
    • http://multiconfianca.com.br/ckfinder/userfiles/files/how-to-walk-through-walls-in-roblox-cheat-engine-2021_GM431946152.pdf
    • http://multiconfianca.com.br/ckfinder/userfiles/files/how-do-you-get-free-robux-on-roblox_GM431946152.pdf
    • http://multiconfianca.com.br/ckfinder/userfiles/files/free-robux-generator-no-verification_GM431946152.pdf
    • http://multiconfianca.com.br/ckfinder/userfiles/files/free-arsenal-hacks_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000033f9.bin
eff13e8b60bc62194669848564afcbdc9af6e373a4e59971d4a79c6d68afb712		 pdf-font-stream PDF embedded font (sfnt) at offset 0x33F9 22792 bytes
font_01_sfnt_off000066f4.bin
5f35db45ab05b56f697d0f4976ea61d8b30e0dbfc7e62510005d2f74ca057771		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66F4 18344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.