Malicious PDF — malware analysis report

Static analysis result for SHA-256 c2e090b13f2ade8f…

MALICIOUS

PDF

45.7 KB Created: 2021-05-19 13:42:38 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 265f7bec2a34bf77503dd3d8832a2cb8 SHA-1: 2f7a8c8eda6119835c22556d5258fbe2cf51e8a4 SHA-256: c2e090b13f2ade8fb82bd13061c5091b7f9ed3d99e00d9ae9721dfebb428c118
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a large number of external links, many of which are presented as "hacks" or "free" resources for games like Coin Master and Roblox. The ML classifier strongly indicated maliciousness, and the presence of numerous links to external PDF files suggests a link farm designed to drive traffic to potentially malicious downloads. No scripts were extracted, but the document's structure and content point towards a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9432

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/http-coin-master-hack-club-game-hack
    • https://lpm.umi.ac.id/asset/ckfinder/userfiles/files/hacked-client-for-minecraft-bedrock_GM479516143.pdf
    • https://lpm.umi.ac.id/asset/ckfinder/userfiles/files/roblox-hacked-version-download_GM431946152.pdf
    • https://lpm.umi.ac.id/asset/ckfinder/userfiles/files/robux-free-gift-card-org-hack_GM431946152.pdf
    • https://lpm.umi.ac.id/asset/ckfinder/userfiles/files/how-to-get-free-robux-no-survey_GM431946152.pdf
    • https://lpm.umi.ac.id/asset/ckfinder/userfiles/files/hack-coin-master-apk-mod_GM406889139.pdf
    • https://lpm.umi.ac.id/asset/ckfinder/userfiles/files/coin-master-free-spins-no-survey_GM406889139.pdf
    • https://lpm.umi.ac.id/asset/ckfinder/userfiles/files/how-do-i-get-free-robux-on-roblox_GM431946152.pdf
    • https://lpm.umi.ac.id/asset/ckfinder/userfiles/files/www-claim-gg-to-earn-free-robux_GM431946152.pdf
    • https://lpm.umi.ac.id/asset/ckfinder/userfiles/files/how-to-hack-to-get-robux_GM431946152.pdf
    • https://lpm.umi.ac.id/asset/ckfinder/userfiles/files/master-coin-hack_GM406889139.pdf
    • https://lpm.umi.ac.id/asset/ckfinder/userfiles/files/blox-world-free-robux_GM431946152.pdf
    • https://lpm.umi.ac.id/asset/ckfinder/userfiles/files/roblox-premium-free_GM431946152.pdf
    • https://lpm.umi.ac.id/asset/ckfinder/userfiles/files/free-robux-hack-no-human-verification-or-survey_GM431946152.pdf
    • https://lpm.umi.ac.id/asset/ckfinder/userfiles/files/free-gold-cards-for-coin-master_GM406889139.pdf
    • https://lpm.umi.ac.id/asset/ckfinder/userfiles/files/coin-master-free-spin-and-coins-links-2021_GM406889139.pdf
    • https://lpm.umi.ac.id/asset/ckfinder/userfiles/files/how-to-hack-someones-account-on-roblox_GM431946152.pdf
    • https://lpm.umi.ac.id/asset/ckfinder/userfiles/files/coin-master-spins_GM406889139.pdf
    • https://lpm.umi.ac.id/asset/ckfinder/userfiles/files/how-do-i-get-free-spins-on-coin-master_GM406889139.pdf
    • https://lpm.umi.ac.id/asset/ckfinder/userfiles/files/latest-free-spin-coin-master-daily_GM406889139.pdf
    • https://lpm.umi.ac.id/asset/ckfinder/userfiles/files/free-account-roblox-with-robux_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004c90.bin
5a689b28d3ceaccaa61acc9e287834fe03770fed92a22354a4c5007d35d47651		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4C90 25484 bytes
font_01_sfnt_off000086bc.bin
381f6d859be141449dd645f7be1484d2a1cf49218dc471b402dae69eaa2b11d5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x86BC 2824 bytes
font_02_sfnt_off0000905e.bin
96dcf9cab8c9fb238960f977a2b624e306cfdaf9711145744c5654b062c5866a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x905E 18264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.