Malicious PDF — malware analysis report

Static analysis result for SHA-256 c681c7fb28c6ce3a…

MALICIOUS

PDF

35.7 KB Created: 2021-06-21 09:31:37 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 60dfc62799f220a761969a811928b9ad SHA-1: d3cf35709a02e0496e355c0fcbe2d1832271841a SHA-256: c681c7fb28c6ce3a08fb1c2d7a4622aa405069ab7d88f8ff2f3f94a4caeca4a8
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains numerous embedded URLs that form a link farm, primarily luring users with promises of free Robux and game hacks. The ML classifier strongly flagged this PDF as malicious, and the presence of external URIs and a download button lure reinforces the malicious intent. While no scripts were explicitly extracted, the PDF structure and embedded links suggest an attempt to redirect users to malicious download sites, likely involving JavaScript for obfuscation or redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/free-robux-no-human-verification-or-survey-2021-game-hack
    • https://www.mtiwelding.co.uk/admin/ckfinder/userfiles/files/coin-master-free-spins-link-2021_GM406889139.pdf
    • https://www.mtiwelding.co.uk/admin/ckfinder/userfiles/files/how-to-get-hacks-on-minecraft_GM479516143.pdf
    • https://www.mtiwelding.co.uk/admin/ckfinder/userfiles/files/free-robux-real-2021_GM431946152.pdf
    • https://www.mtiwelding.co.uk/admin/ckfinder/userfiles/files/how-to-hack-in-roblox-without-cheat-engine_GM431946152.pdf
    • https://www.mtiwelding.co.uk/admin/ckfinder/userfiles/files/free-minecraft-java-account_GM479516143.pdf
    • https://www.mtiwelding.co.uk/admin/ckfinder/userfiles/files/free-robux-games-that-actually-work_GM431946152.pdf
    • https://www.mtiwelding.co.uk/admin/ckfinder/userfiles/files/coin-master-free-spins-link-today-ios_GM406889139.pdf
    • https://www.mtiwelding.co.uk/admin/ckfinder/userfiles/files/apps-to-get-free-robux_GM431946152.pdf
    • https://www.mtiwelding.co.uk/admin/ckfinder/userfiles/files/free-robux-no-verification-no-survey_GM431946152.pdf
    • https://www.mtiwelding.co.uk/admin/ckfinder/userfiles/files/coin-master-shield-hack_GM406889139.pdf
    • https://www.mtiwelding.co.uk/admin/ckfinder/userfiles/files/archery-master-3d-hack-unlimited-coins-cheats_GM406889139.pdf
    • https://www.mtiwelding.co.uk/admin/ckfinder/userfiles/files/minecraft-online-free-no-download_GM479516143.pdf
    • https://www.mtiwelding.co.uk/admin/ckfinder/userfiles/files/free-realistic-minecraft-texture-packs_GM479516143.pdf
    • https://www.mtiwelding.co.uk/admin/ckfinder/userfiles/files/wwwhaktutsin-2021-08-coinmasterfreespinandcoinlinkhtml-m-1_GM406889139.pdf
    • https://www.mtiwelding.co.uk/admin/ckfinder/userfiles/files/best-minecraft-hacks_GM479516143.pdf
    • https://www.mtiwelding.co.uk/admin/ckfinder/userfiles/files/hack-my-game-xyz-coin-master_GM406889139.pdf
    • https://www.mtiwelding.co.uk/admin/ckfinder/userfiles/files/earn-free-spins-for-coin-master_GM406889139.pdf
    • https://www.mtiwelding.co.uk/admin/ckfinder/userfiles/files/robux-free-robux_GM431946152.pdf
    • https://www.mtiwelding.co.uk/admin/ckfinder/userfiles/files/free-spins-for-coin-master-app_GM406889139.pdf
    • https://www.mtiwelding.co.uk/admin/ckfinder/userfiles/files/how-to-get-free-hair-in-roblox_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000315f.bin
de048ac4606d872168879d1a83d20c52faf882795d73d6fe01f4a28985a73f50		 pdf-font-stream PDF embedded font (sfnt) at offset 0x315F 22548 bytes
font_01_sfnt_off000063b0.bin
a686843967d16d630a3d792aecd0df7810ef9440d33d67b3fe7886ce86e787de		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63B0 20028 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.