Malicious PDF — malware analysis report

Static analysis result for SHA-256 b5f04acd1ecd5cf1…

MALICIOUS

PDF

48.3 KB Created: 2021-06-03 06:18:54 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 6f52775a91519e101e3e07543d552c1f SHA-1: d432a2a0b448af3efb6daec8345715481050d1f5 SHA-256: b5f04acd1ecd5cf17ae069da6ce05f709bc32eaf6094fa8182bff2cf7ef03d06
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file contains numerous embedded links to external resources, many of which point to IP addresses and hostnames associated with file downloads. The document body, though heavily obfuscated, contains references to game downloads, suggesting a lure for users to download further malicious content. The ML classifier also flagged this PDF with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9796

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.online/app/479516143/minecraft-free-download-mac-full-version-2021-game-hack
    • http://110.78.114.242/ckfinder/userfiles/files/daily-free-spin-and-coin_GM406889139.pdf
    • http://110.78.114.242/ckfinder/userfiles/files/free-robux-no-human-verification-generator_GM431946152.pdf
    • http://110.78.114.242/ckfinder/userfiles/files/free-spin-online-tool-coin-master_GM406889139.pdf
    • http://110.78.114.242/ckfinder/userfiles/files/how-to-get-free-snacks-on-coin-master_GM406889139.pdf
    • http://110.78.114.242/ckfinder/userfiles/files/moonactive-free-spins-coin-master_GM406889139.pdf
    • http://110.78.114.242/ckfinder/userfiles/files/how-to-get-free-spins-on-coin-master-iphone_GM406889139.pdf
    • http://110.78.114.242/ckfinder/userfiles/files/free-coin-master-spins-and-coins_GM406889139.pdf
    • http://110.78.114.242/ckfinder/userfiles/files/how-do-i-get-free-spins-on-coin-master_GM406889139.pdf
    • http://110.78.114.242/ckfinder/userfiles/files/coin-master-free-spins_GM406889139.pdf
    • http://110.78.114.242/ckfinder/userfiles/files/how-to-get-800-robux-for-free_GM431946152.pdf
    • http://110.78.114.242/ckfinder/userfiles/files/roblox-tracker_GM431946152.pdf
    • http://110.78.114.242/ckfinder/userfiles/files/minecraft-free-ios-2021_GM479516143.pdf
    • http://110.78.114.242/ckfinder/userfiles/files/minecraft-bedrock-edition-free-with-java_GM479516143.pdf
    • http://110.78.114.242/ckfinder/userfiles/files/coin-master-daily-free-spins-25_GM406889139.pdf
    • http://110.78.114.242/ckfinder/userfiles/files/minecraft-tower-defense-2-hacked_GM479516143.pdf
    • http://110.78.114.242/ckfinder/userfiles/files/download-coin-master-apk-hacked_GM406889139.pdf
    • http://110.78.114.242/ckfinder/userfiles/files/coin-master-hack-download-apk_GM406889139.pdf
    • http://110.78.114.242/ckfinder/userfiles/files/to-pokemon-go-free-download_GM1094591345.pdf
    • http://110.78.114.242/ckfinder/userfiles/files/free-robux-apk_GM431946152.pdf
    • http://110.78.114.242/ckfinder/userfiles/files/avatar-the-last-airbender-roblox_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000053d6.bin
b3f7e58858bf3331980d819640719d74e2bbf1d5a1da4bd9c55898fdc6170d71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x53D6 26300 bytes
font_01_sfnt_off00008e1c.bin
02b35010e2614e3cc95ac6414c49295350c91fdfcc4b4cad27ffdbc10e80df7f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8E1C 2912 bytes
font_02_sfnt_off00009819.bin
b6087cd044d66512a4bbe462cbd4c424643b24317ccde57b4a21bed9d436f387		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9819 18964 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.