Malicious PDF — malware analysis report

Static analysis result for SHA-256 d8dbf20beba11ec8…

MALICIOUS

PDF

45.2 KB Created: 2021-05-17 07:02:28 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 99d1eb8a4c3fbb370928b68dc853c90a SHA-1: aa3fd938045683a3e7f2de19b407781acbb9ede4 SHA-256: d8dbf20beba11ec84207b2f73a9dbee9f6e19032a70b57d9861b4712ea2279ca
110 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript and a mass of external links, many of which point to other PDF documents related to "hacks" or "generators". This suggests the document is part of a link farm or SEO poisoning campaign designed to drive traffic to malicious or misleading content. The presence of embedded JavaScript indicates an attempt to execute code, likely to facilitate further malicious activity or redirect the user.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9621

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/coin-master-in-app-purchase-hack-game-hack
    • https://sundae.co.th/js/userfiles/files/how-to-get-free-robux-on-iphone_GM431946152.pdf
    • https://sundae.co.th/js/userfiles/files/buy-robux-free_GM431946152.pdf
    • https://sundae.co.th/js/userfiles/files/free-roblox-followers-generator-2021_GM431946152.pdf
    • https://sundae.co.th/js/userfiles/files/free-spin-app-coin-master_GM406889139.pdf
    • https://sundae.co.th/js/userfiles/files/daily-spin-and-coin_GM406889139.pdf
    • https://sundae.co.th/js/userfiles/files/free-robux-without-survey_GM431946152.pdf
    • https://sundae.co.th/js/userfiles/files/coin-master-free-spins-and-coins-link-today_GM406889139.pdf
    • https://sundae.co.th/js/userfiles/files/how-do-you-get-free-robux-without-paying_GM431946152.pdf
    • https://sundae.co.th/js/userfiles/files/coin-master-daily-free-spins-and-coins_GM406889139.pdf
    • https://sundae.co.th/js/userfiles/files/coin-master-pc-hack-download_GM406889139.pdf
    • https://sundae.co.th/js/userfiles/files/coin-master-free-gold-cards_GM406889139.pdf
    • https://sundae.co.th/js/userfiles/files/extra-free-spins-for-coin-master_GM406889139.pdf
    • https://sundae.co.th/js/userfiles/files/is-there-an-actual-hack-that-work-for-coin-master_GM406889139.pdf
    • https://sundae.co.th/js/userfiles/files/coin-master-hack-no-survey-or-verification_GM406889139.pdf
    • https://sundae.co.th/js/userfiles/files/free-roblox-clothes-codes_GM431946152.pdf
    • https://sundae.co.th/js/userfiles/files/how-can-i-get-free-spins-on-coin-master_GM406889139.pdf
    • https://sundae.co.th/js/userfiles/files/coin-master-heaven-free-spins-link_GM406889139.pdf
    • https://sundae.co.th/js/userfiles/files/roblox-piano-hack_GM431946152.pdf
    • https://sundae.co.th/js/userfiles/files/coin-master-daily-free-spins-2021_GM406889139.pdf
    • https://sundae.co.th/js/userfiles/files/how-to-get-free-robux-with-no-verification_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004a01.bin
1aae349ea28a4c3359d72b0a5f626c90211dc0c9b51b5ba744275e888ff4e292		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4A01 24532 bytes
font_01_sfnt_off000082b4.bin
4b3e0f36ad1e0c7e3ea5c178fd2b4f097d1e01575fc6a4101a8b520db34dfe07		 pdf-font-stream PDF embedded font (sfnt) at offset 0x82B4 3400 bytes
font_02_sfnt_off00008ddd.bin
37c61889bff08c2bddd56bfb017dd32b1bdcae49f78bbe236cb4c9fcda307a6c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8DDD 18352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.