Malicious PDF — malware analysis report

Static analysis result for SHA-256 b426a3d69e2a9a3a…

MALICIOUS

PDF

50.4 KB Created: 2021-05-13 08:39:03 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 75984d2f9038ea43b35e5bb4348e77f7 SHA-1: eb5a491b97b6e8432645c90b1429919eaa2f5419 SHA-256: b426a3d69e2a9a3ae41f7d968acd5510335e4521d117e7530ff61f4a7ae24386
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous embedded links and a document body referencing 'Free Robux Redeem Codes 2021', indicating a lure for users interested in obtaining in-game currency or cheats. The PDF_SEO_LINK_FARM heuristic firing suggests a large number of external links, likely to scam or phishing sites. While no scripts were directly extracted, the presence of embedded URLs and the ML classification strongly suggest malicious intent, likely to redirect users to malicious websites for credential harvesting or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8594

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/free-robux-redeem-codes-2021-game-hack
    • http://bernd-voehringer.de/images/coin-master-game-free-spin-download_GM406889139.pdf
    • http://bernd-voehringer.de/images/free-ways-to-get-robux_GM431946152.pdf
    • http://bernd-voehringer.de/images/free-robux-hack-no-verification_GM431946152.pdf
    • http://bernd-voehringer.de/images/coin-master-hack-pro_GM406889139.pdf
    • http://bernd-voehringer.de/images/rape-simulator_GM431946152.pdf
    • http://bernd-voehringer.de/images/free-robux-generator-no-human-verification-or-surveys_GM431946152.pdf
    • http://bernd-voehringer.de/images/coin-master-free-coins--spins_GM406889139.pdf
    • http://bernd-voehringer.de/images/free-robux-codes-no-human-verification_GM431946152.pdf
    • http://bernd-voehringer.de/images/free-coin-and-spin-in-coin-master_GM406889139.pdf
    • http://bernd-voehringer.de/images/coin-master-free-spins-2021_GM406889139.pdf
    • http://bernd-voehringer.de/images/websites-that-give-free-robux_GM431946152.pdf
    • http://bernd-voehringer.de/images/100-free-spins-coin-master-link_GM406889139.pdf
    • http://bernd-voehringer.de/images/coin-master-free-spin-codes_GM406889139.pdf
    • http://bernd-voehringer.de/images/links-to-get-free-spins-on-coin-master_GM406889139.pdf
    • http://bernd-voehringer.de/images/coin-master_GM406889139.pdf
    • http://bernd-voehringer.de/images/get-free-robux-without-doing-anything_GM431946152.pdf
    • http://bernd-voehringer.de/images/coin-master-free-spins-link-2021-today_GM406889139.pdf
    • http://bernd-voehringer.de/images/minecraft-pocket-edition-mods-for-free_GM479516143.pdf
    • http://bernd-voehringer.de/images/coin-master-free-spins-link-blogspot-2021_GM406889139.pdf
    • http://bernd-voehringer.de/images/how-to-get-free-robux-for-free_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004e22.bin
1dd4ece6ff6874cee2891f14246527ecfd45698c47457e0b94171746af99b060		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4E22 27376 bytes
font_01_sfnt_off00008c8c.bin
10d025f04f706eb71cdda4f99784df1b9ccb52e48080e43095e0398eaef6f132		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8C8C 2880 bytes
font_02_sfnt_off0000966c.bin
4555740682277f0055d57b15bd0ba953e5b51415ea3d21c93db391eace072d4f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x966C 2816 bytes
font_03_sfnt_off0000a07d.bin
835008e062f354a08c5cd285c30dce0b291468b55589a8f36d5d300bab70ed7b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA07D 18852 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.