Malicious PDF — malware analysis report

Static analysis result for SHA-256 bfe3cf0c4030108a…

MALICIOUS

PDF

41.3 KB Created: 2021-05-12 07:03:17 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 5d4bd050e037dddf1041813cf01f2f28 SHA-1: f07bc98db07043c7e5da0ad93ba3fb47cd41e969 SHA-256: bfe3cf0c4030108ad3795dcdb9acf0fc3c7133a3ab9b7e6207fcaa96745cbde2
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous embedded links and a link farm, all pointing to websites offering free in-game items or accounts, a common lure for scams and phishing. The ML classifier also flagged this PDF as malicious with high confidence. While no scripts were directly extracted, the PDF structure itself facilitates the redirection to malicious URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9971

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/how-to-get-free-robux-youtube-game-hack
    • https://itv-grabungen.de/images/roblox-premium-free_GM431946152.pdf
    • https://itv-grabungen.de/images/free-spin-link-coin-master_GM406889139.pdf
    • https://itv-grabungen.de/images/free-robux-that-actually-works_GM431946152.pdf
    • https://itv-grabungen.de/images/free-minecraft-account-and-password-generator_GM479516143.pdf
    • https://itv-grabungen.de/images/coin-master-free-link_GM406889139.pdf
    • https://itv-grabungen.de/images/free-coins-and-spins-for-coin-master-game_GM406889139.pdf
    • https://itv-grabungen.de/images/coin-master-hacks-no-surveys_GM406889139.pdf
    • https://itv-grabungen.de/images/avatar-the-last-airbender-roblox_GM431946152.pdf
    • https://itv-grabungen.de/images/coin-master-game-free_GM406889139.pdf
    • https://itv-grabungen.de/images/free-minecraft-java-edition-account_GM479516143.pdf
    • https://itv-grabungen.de/images/hack-xp-net-coin-master_GM406889139.pdf
    • https://itv-grabungen.de/images/free-spin-link-of-coin-master_GM406889139.pdf
    • https://itv-grabungen.de/images/coin-master-codes_GM406889139.pdf
    • https://itv-grabungen.de/images/hack-spin-coin-master-2021_GM406889139.pdf
    • https://itv-grabungen.de/images/roblox-piano-hack_GM431946152.pdf
    • https://itv-grabungen.de/images/how-to-hack-roblox-accounts-2021_GM431946152.pdf
    • https://itv-grabungen.de/images/coin-master-hack-spins-apk_GM406889139.pdf
    • https://itv-grabungen.de/images/free-spin-and-coin-blogspot_GM406889139.pdf
    • https://itv-grabungen.de/images/blogspot-coin-master-free-spins_GM406889139.pdf
    • https://itv-grabungen.de/images/coin-master-hacks-for-spins_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off000047ab.bin
a372142fea55ef91f2ba93c71ef42465d8e9afeaaa5f730b7f1a2a72bfb12b15		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x47AB 24028 bytes
font_01_sfnt_off00007e3a.bin
c8869677d4d84c4518e8410e1128de6ae04a76f8db213e07b668dd1668cda2fe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E3A 18444 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.