Malicious PDF — malware analysis report

Static analysis result for SHA-256 be0c6eae2b2ad0d7…

MALICIOUS

PDF

49.4 KB Created: 2021-06-04 00:27:51 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: 70061dd35caf1873a807fa2ba31f6b5e SHA-1: 67614da5454b0f2a1a8878780de477f82c3e25c7 SHA-256: be0c6eae2b2ad0d7aecdceaf0a43aae04accaee9f1de8421a59105e2ed23188c
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains numerous embedded links, identified as a link farm, that lead to websites promising free in-game currency or accounts. The ML classifier strongly indicates maliciousness, and the presence of external URIs suggests the document is designed to redirect users to potentially malicious sites. The document body, though partially corrupted, contains text related to 'free Robux' and includes URLs that align with the link farm heuristic.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9796

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.online/app/431946152/how-to-get-free-robux-no-survey-game-hack PDF link annotation
    • https://digilib.stieama.ac.id/repository/easy-how-to-get-free-robux_GM431946152.pdfIn PDF document text
    • https://digilib.stieama.ac.id/repository/coin-master-free-spin-link-today-2021_GM406889139.pdfIn PDF document text
    • https://digilib.stieama.ac.id/repository/how-to-get-free-views-on-tiktok_GM835599320.pdfIn PDF document text
    • https://digilib.stieama.ac.id/repository/how-to-get-roebucks-on-roblox_GM431946152.pdfIn PDF document text
    • https://digilib.stieama.ac.id/repository/how-do-you-earn-free-coins-for-coin-master_GM406889139.pdfIn PDF document text
    • https://digilib.stieama.ac.id/repository/free-spin-link-coin-master-today_GM406889139.pdfIn PDF document text
    • https://digilib.stieama.ac.id/repository/robux_GM431946152.pdfIn PDF document text
    • https://digilib.stieama.ac.id/repository/hack-coin-pro-coin-master_GM406889139.pdfIn PDF document text
    • https://digilib.stieama.ac.id/repository/free-minecraft-account-and-password-2021_GM479516143.pdfIn PDF document text
    • https://digilib.stieama.ac.id/repository/free-robux-without-any-verification_GM431946152.pdfIn PDF document text
    • https://digilib.stieama.ac.id/repository/actual-free-robux_GM431946152.pdfIn PDF document text
    • https://digilib.stieama.ac.id/repository/claim-free-robux_GM431946152.pdfIn PDF document text
    • https://digilib.stieama.ac.id/repository/free-robux-without-verification_GM431946152.pdfIn PDF document text
    • https://digilib.stieama.ac.id/repository/how-to-host-a-minecraft-server-for-free_GM479516143.pdfIn PDF document text
    • https://digilib.stieama.ac.id/repository/free-robux-games-that-actually-work-2021_GM431946152.pdfIn PDF document text
    • https://digilib.stieama.ac.id/repository/free-robux-pastebin_GM431946152.pdfIn PDF document text
    • https://digilib.stieama.ac.id/repository/roblox-hack-generator_GM431946152.pdfIn PDF document text
    • https://digilib.stieama.ac.id/repository/coin-master-free-spins-link-today-new_GM406889139.pdfIn PDF document text
    • https://digilib.stieama.ac.id/repository/play-roblox-for-free-on-google_GM431946152.pdfIn PDF document text
    • https://digilib.stieama.ac.id/repository/minecraft-free-education_GM479516143.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005133.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5133 26968 bytes
SHA-256: c5cc2d896ae2be2ed37a8692273a12aa02145e9eab876508897d88bb994980a7
font_01_sfnt_off000090e1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x90E1 3656 bytes
SHA-256: 9f0b708049ba3a27fe71af9d3da5d823b566ea88c56b157492a6ea759b34d87c
font_02_sfnt_off00009d9e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9D9E 18576 bytes
SHA-256: 4e9b11cd56806b44a111e59337afa2364f0ba527e2b4797dd95234ca7f902292

Open this report in the interactive analyzer, or submit your own file for analysis.