Malicious PDF — malware analysis report

Static analysis result for SHA-256 c73ab86724e576ec…

MALICIOUS

PDF

33.7 KB Created: 2021-07-09 22:30:40 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 6e3a08414b4e6163c742f80844f03edf SHA-1: a3202844a4001fd38d7b44ed681cf040cfc801e1 SHA-256: c73ab86724e576ece95c606380927563d0fc90aa877df4fb40c077be9bfccf0f
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF document contains numerous links disguised as offers for game cheats and free in-game currency. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of external links, suggesting a link farm designed to attract users. The ML classifier also flagged this PDF as malicious with high confidence. The primary goal appears to be directing users to potentially malicious websites via these embedded links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/406889139/free-spins-for-coin-master-game-hack
    • http://elearning.mtsn2lamtim.sch.id/__statics/gudangsoal/files/free-coin-master-spins-blog_GM406889139.pdf
    • http://elearning.mtsn2lamtim.sch.id/__statics/gudangsoal/files/free-minecraft-servers-to-join_GM479516143.pdf
    • http://elearning.mtsn2lamtim.sch.id/__statics/gudangsoal/files/how-to-hack-roblox-accounts-with-cheat-engine-62-2021_GM431946152.pdf
    • http://elearning.mtsn2lamtim.sch.id/__statics/gudangsoal/files/minecraft-java-edition-free-download-for-android_GM479516143.pdf
    • http://elearning.mtsn2lamtim.sch.id/__statics/gudangsoal/files/20210-free-spin-links-for-coin-master_GM406889139.pdf
    • http://elearning.mtsn2lamtim.sch.id/__statics/gudangsoal/files/coin-master-free-spins-link-today-ios_GM406889139.pdf
    • http://elearning.mtsn2lamtim.sch.id/__statics/gudangsoal/files/roblox-rape-hack_GM431946152.pdf
    • http://elearning.mtsn2lamtim.sch.id/__statics/gudangsoal/files/coin-master-free-spins-link-blogspot-today_GM406889139.pdf
    • http://elearning.mtsn2lamtim.sch.id/__statics/gudangsoal/files/free-ways-to-get-robux_GM431946152.pdf
    • http://elearning.mtsn2lamtim.sch.id/__statics/gudangsoal/files/daily-coin-master-free_GM406889139.pdf
    • http://elearning.mtsn2lamtim.sch.id/__statics/gudangsoal/files/piano-roblox-hack_GM431946152.pdf
    • http://elearning.mtsn2lamtim.sch.id/__statics/gudangsoal/files/how-to-get-free-robux-promo-codes_GM431946152.pdf
    • http://elearning.mtsn2lamtim.sch.id/__statics/gudangsoal/files/minecraft-free-download-ipad_GM479516143.pdf
    • http://elearning.mtsn2lamtim.sch.id/__statics/gudangsoal/files/hacks-for-roblox-royale-high_GM431946152.pdf
    • http://elearning.mtsn2lamtim.sch.id/__statics/gudangsoal/files/how-do-i-get-minecraft-for-free_GM479516143.pdf
    • http://elearning.mtsn2lamtim.sch.id/__statics/gudangsoal/files/coin-master-free-spins-link-2021-blogger_GM406889139.pdf
    • http://elearning.mtsn2lamtim.sch.id/__statics/gudangsoal/files/show-me-how-to-get-free-robux_GM431946152.pdf
    • http://elearning.mtsn2lamtim.sch.id/__statics/gudangsoal/files/coin-master-free-2021-spin-link_GM406889139.pdf
    • http://elearning.mtsn2lamtim.sch.id/__statics/gudangsoal/files/rbl-gg-free-robux_GM431946152.pdf
    • http://elearning.mtsn2lamtim.sch.id/__statics/gudangsoal/files/real-free-spins-for-coin-master_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003072.bin
4f6b8c8e59882459721168ebfde23e96a723616134f13c89d8e450e6978a0d03		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3072 22068 bytes
font_01_sfnt_off00006156.bin
0b37b87f907bc50fa1e450587a0e1f43116f92b011bc5b47444974eee354eb2f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6156 18176 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.