Malicious PDF — malware analysis report

Static analysis result for SHA-256 b7e8491448a3bfe6…

MALICIOUS

PDF

44.3 KB Created: 2021-06-03 12:33:02 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 806e86eacbbf0cdd8e8a9d28316460d1 SHA-1: 4d8a2d80b41ffb1b788e135f263b3da4b6104795 SHA-256: b7e8491448a3bfe6ec0be534143d8722baf7e3829ce8f7b0458e1a2c502b3155
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous embedded links, many of which are SEO-optimized and point to sites offering game hacks or free in-game currency. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of external links, suggesting a link farm designed to attract users. The ML classifier also flagged this PDF as malicious with high confidence. While no scripts were explicitly extracted, the presence of embedded URLs and the overall structure strongly suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9865

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.online/app/406889139/coin-master-2021-game-hack
    • https://sman1negara.sch.id/new/public/ckfinder/userfiles/files/how-long-is-the-minecraft-free-trial_GM479516143.pdf
    • http://sman1negara.sch.id/new/public/ckfinder/userfiles/files/how-to-get-free-tiktok-coins_GM835599320.pdf
    • https://sman1negara.sch.id/new/public/ckfinder/userfiles/files/coin-master-free-coins_GM406889139.pdf
    • http://sman1negara.sch.id/new/public/ckfinder/userfiles/files/coin-master-hack-apk-download-for-android_GM406889139.pdf
    • https://sman1negara.sch.id/new/public/ckfinder/userfiles/files/freespins-coin-master_GM406889139.pdf
    • http://sman1negara.sch.id/new/public/ckfinder/userfiles/files/free-robux-generator-no-human-verification-or-surveys_GM431946152.pdf
    • https://sman1negara.sch.id/new/public/ckfinder/userfiles/files/earn-robux_GM431946152.pdf
    • http://sman1negara.sch.id/new/public/ckfinder/userfiles/files/minecraft-free-download-no-virus_GM479516143.pdf
    • http://sman1negara.sch.id/new/public/ckfinder/userfiles/files/how-can-i-get-free-robux_GM431946152.pdf
    • https://sman1negara.sch.id/new/public/ckfinder/userfiles/files/how-to-get-free-robux-easy-hack_GM431946152.pdf
    • https://sman1negara.sch.id/new/public/ckfinder/userfiles/files/free-robux-not-fake_GM431946152.pdf
    • https://sman1negara.sch.id/new/public/ckfinder/userfiles/files/how-to-get-minecraft-for-free-on-ipad_GM479516143.pdf
    • https://sman1negara.sch.id/new/public/ckfinder/userfiles/files/robloxfun-com-generator_GM431946152.pdf
    • http://sman1negara.sch.id/new/public/ckfinder/userfiles/files/free-disney-plus-accounts-tiktok_GM835599320.pdf
    • http://sman1negara.sch.id/new/public/ckfinder/userfiles/files/minecraft-free-play-no-download_GM479516143.pdf
    • http://sman1negara.sch.id/new/public/ckfinder/userfiles/files/how-to-coin-master-hack_GM406889139.pdf
    • https://sman1negara.sch.id/new/public/ckfinder/userfiles/files/generator-robux_GM431946152.pdf
    • http://sman1negara.sch.id/new/public/ckfinder/userfiles/files/http-bit-ly-coin-master-hack_GM406889139.pdf
    • https://sman1negara.sch.id/new/public/ckfinder/userfiles/files/coin-master-gift-link-hack_GM406889139.pdf
    • http://sman1negara.sch.id/new/public/ckfinder/userfiles/files/wurst-hacked-client-112-2_GM479516143.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0000541b.bin
6fea288e2d7d882e345100f3cc5d1fa49a0536ef98735e59567535c2ea514fb4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x541B 24488 bytes
font_01_sfnt_off00008b56.bin
6698963cbb1d852d96c53ab93a77ac893ef1ba4f062b6059a57d43c99368daf9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8B56 17948 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.