Malicious PDF — malware analysis report

Static analysis result for SHA-256 d41902b5deb17490…

MALICIOUS

PDF

45.8 KB Created: 2021-05-14 08:22:05 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 17681a2ecba8d4e100397c25bf66b4b9 SHA-1: c551bfbcb0686de2c4e11709320b38a6f58706a0 SHA-256: d41902b5deb174907ad04c1689096a83aed5bb98a7fb775f882ceac11dcb7a47
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous embedded links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various domains. The primary URL, https://netcdn.xyz/app/406889139/daily-spin-game-hack, suggests a lure related to game hacks or cheats. The ML classifier also flagged this PDF as malicious. While no scripts were explicitly extracted, the nature of the embedded links and the heuristic firings indicate a likely attempt to redirect users to malicious or spam content, potentially as part of a phishing or SEO poisoning campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9432

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/daily-spin-game-hack
    • https://www.trendsfashionusa.com/uploaded_files/userfiles/files/coin-master-free-spin-daily-link_GM406889139.pdf
    • https://www.trendsfashionusa.com/uploaded_files/userfiles/files/what-games-on-roblox-give-you-free-robux_GM431946152.pdf
    • https://www.trendsfashionusa.com/uploaded_files/userfiles/files/free-robux-kid-friendly-no-human-verification_GM431946152.pdf
    • https://www.trendsfashionusa.com/uploaded_files/userfiles/files/coin-master-free-spins-hack-2021_GM406889139.pdf
    • https://www.trendsfashionusa.com/uploaded_files/userfiles/files/free-redeem-code-for-coin-master_GM406889139.pdf
    • https://www.trendsfashionusa.com/uploaded_files/userfiles/files/coin-master-free-snacks-link_GM406889139.pdf
    • https://www.trendsfashionusa.com/uploaded_files/userfiles/files/coin-master-hack-apk_GM406889139.pdf
    • https://www.trendsfashionusa.com/uploaded_files/userfiles/files/free-roblox-girl-clothes_GM431946152.pdf
    • https://www.trendsfashionusa.com/uploaded_files/userfiles/files/adopt-me-roblox-hacks_GM431946152.pdf
    • https://www.trendsfashionusa.com/uploaded_files/userfiles/files/free-coin-master-hacks-no-verification_GM406889139.pdf
    • https://www.trendsfashionusa.com/uploaded_files/userfiles/files/free-robux-discord_GM431946152.pdf
    • https://www.trendsfashionusa.com/uploaded_files/userfiles/files/roblox-hack-tool_GM431946152.pdf
    • https://www.trendsfashionusa.com/uploaded_files/userfiles/files/how-to-hack-to-get-robux_GM431946152.pdf
    • https://www.trendsfashionusa.com/uploaded_files/userfiles/files/download-hack-coin-master-apk_GM406889139.pdf
    • https://www.trendsfashionusa.com/uploaded_files/userfiles/files/how-to-get-free-robux-no-verification_GM431946152.pdf
    • https://www.trendsfashionusa.com/uploaded_files/userfiles/files/coin-master-daily-free-coins-link_GM406889139.pdf
    • https://www.trendsfashionusa.com/uploaded_files/userfiles/files/rbx-hut-promo-codes_GM431946152.pdf
    • https://www.trendsfashionusa.com/uploaded_files/userfiles/files/10-free-spins-coin-master_GM406889139.pdf
    • https://www.trendsfashionusa.com/uploaded_files/userfiles/files/how-to-get-free-robux-on-mobile_GM431946152.pdf
    • https://www.trendsfashionusa.com/uploaded_files/userfiles/files/is-there-a-free-version-of-minecraft_GM479516143.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004cb1.bin
2acf8f8155dbff3cfac41c7c7e7490e744c8e9aaebc2b27467836ede0eeb9b92		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4CB1 25560 bytes
font_01_sfnt_off000086fb.bin
f5c28686dcaa6e4f5af5eb824d4c2910815e14a2156f8517a627a86c98a11a8a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x86FB 17896 bytes
font_02_sfnt_off0000a7b3.bin
e32c06502c11b52acb5e814091c5fdbffd1e2a904ac7a9cfb8b5b180bd139088		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA7B3 3264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.