Malicious PDF — malware analysis report

Static analysis result for SHA-256 b3fe1c6869bb5490…

MALICIOUS

PDF

36.1 KB Created: 2021-06-18 07:27:45 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 107f70d14d6c9846ecd528a9c33b5b98 SHA-1: eca3cf6d04100c7b4e5fb96cca274bd142da81f9 SHA-256: b3fe1c6869bb54901176754d3b2781b6e855ed483e327ad4804cba3b19d7c6a2
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document contains numerous links to external websites, many of which are structured as SEO-optimized PDF links. The document body and extracted URLs suggest a lure for free game currency ('Robux') or cheats, which is a common tactic for distributing malware. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/free-roblox-cheat-codes-game-hack PDF link annotation
    • http://e-learning.man2jombang.sch.id/__statics/gudangsoal/files/earn-free-robux-online-android_GM431946152.pdfIn PDF document text
    • http://e-learning.man2jombang.sch.id/__statics/gudangsoal/files/minecraft-name-tag-hacks_GM479516143.pdfIn PDF document text
    • http://e-learning.man2jombang.sch.id/__statics/gudangsoal/files/how-to-hack-into-other-peoples-account-on-roblox_GM431946152.pdfIn PDF document text
    • http://e-learning.man2jombang.sch.id/__statics/gudangsoal/files/free-roblox-accounts-with-robux-2021_GM431946152.pdfIn PDF document text
    • http://e-learning.man2jombang.sch.id/__statics/gudangsoal/files/free-robux-no-verification-no-survey_GM431946152.pdfIn PDF document text
    • http://e-learning.man2jombang.sch.id/__statics/gudangsoal/files/free-download-game-roblox-full-version_GM431946152.pdfIn PDF document text
    • http://e-learning.man2jombang.sch.id/__statics/gudangsoal/files/how-to-get-free-robux-2021-100-works_GM431946152.pdfIn PDF document text
    • http://e-learning.man2jombang.sch.id/__statics/gudangsoal/files/websites-to-get-free-robux_GM431946152.pdfIn PDF document text
    • http://e-learning.man2jombang.sch.id/__statics/gudangsoal/files/free-robux-no-human-verification-or-survey-2021_GM431946152.pdfIn PDF document text
    • http://e-learning.man2jombang.sch.id/__statics/gudangsoal/files/cool-free-outfits-roblox_GM431946152.pdfIn PDF document text
    • http://e-learning.man2jombang.sch.id/__statics/gudangsoal/files/no-download-roblox-free_GM431946152.pdfIn PDF document text
    • http://e-learning.man2jombang.sch.id/__statics/gudangsoal/files/how-to-get-free-robux-easy_GM431946152.pdfIn PDF document text
    • http://e-learning.man2jombang.sch.id/__statics/gudangsoal/files/roblox-fashion-famous-download-free_GM431946152.pdfIn PDF document text
    • http://e-learning.man2jombang.sch.id/__statics/gudangsoal/files/100-free-tiktok-followers_GM835599320.pdfIn PDF document text
    • http://e-learning.man2jombang.sch.id/__statics/gudangsoal/files/como-conseguir-robux-gratis-sin-hacks-con-dos-links_GM431946152.pdfIn PDF document text
    • http://e-learning.man2jombang.sch.id/__statics/gudangsoal/files/free-aimbot-for-any-game-and-no-virus-roblox_GM431946152.pdfIn PDF document text
    • http://e-learning.man2jombang.sch.id/__statics/gudangsoal/files/how-to-get-22-000-free-robux_GM431946152.pdfIn PDF document text
    • http://e-learning.man2jombang.sch.id/__statics/gudangsoal/files/hack-roblox-pc-western-frontire-dark-rp_GM431946152.pdfIn PDF document text
    • http://e-learning.man2jombang.sch.id/__statics/gudangsoal/files/free-printable-minecraft-coloring-pages_GM479516143.pdfIn PDF document text
    • http://e-learning.man2jombang.sch.id/__statics/gudangsoal/files/free-minecraft-pe-server_GM479516143.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000362b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x362B 22556 bytes
SHA-256: bedc8f33c61f6b55c993b9e1e3cdcad2f584971be0a02da3f22ea6db5bdca8bb
font_01_sfnt_off0000680f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x680F 19092 bytes
SHA-256: 16166b020ec2df35b4a962e79cd36569aa39bf3e7acc02af8184b75bf679af51