Malicious PDF — malware analysis report

Static analysis result for SHA-256 d985cc5a79f55b86…

MALICIOUS

PDF

51.6 KB Created: 2021-05-11 14:46:38 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 743fbaf72e47a8c5c6f4a8342c3d94e2 SHA-1: c4377ae038ebf3713d76f04b2cf4b896065d9184 SHA-256: d985cc5a79f55b86bda1f3a213832e34f11ec2537060e0b335fa6993be7ffd28
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains numerous embedded links, identified as a link farm, that direct users to pages offering 'free Robux' or 'Coin Master hacks'. The ML classifier strongly indicated maliciousness, and the presence of a download button lure reinforces the deceptive nature of the document. The primary goal appears to be tricking users into visiting these external sites, likely to download further malware or engage in credential harvesting.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9348

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/robloxmatch.com-free-robux-game-hack
    • http://perpus.stikes-bhm.ac.id/perpusbhm//repository/completed-coin-master-hack_GM406889139.pdf
    • http://perpus.stikes-bhm.ac.id/perpusbhm/repository/free-coin-spin-coin-master_GM406889139.pdf
    • http://perpus.stikes-bhm.ac.id/perpusbhm//repository/free-robux-with-no-verification_GM431946152.pdf
    • http://perpus.stikes-bhm.ac.id/perpusbhm//repository/hey-google-how-do-you-get-free-robux_GM431946152.pdf
    • http://perpus.stikes-bhm.ac.id/perpusbhm//repository/how-to-get-more-robux-for-free_GM431946152.pdf
    • http://perpus.stikes-bhm.ac.id/perpusbhm//repository/free-roblox-executor-no-key_GM431946152.pdf
    • http://perpus.stikes-bhm.ac.id/perpusbhm//repository/coin-master-free-attack_GM406889139.pdf
    • http://perpus.stikes-bhm.ac.id/perpusbhm//repository/free-games-like-roblox_GM431946152.pdf
    • http://perpus.stikes-bhm.ac.id/perpusbhm/repository/coin-master-hack-apk-with-fb-login_GM406889139.pdf
    • http://perpus.stikes-bhm.ac.id/perpusbhm//repository/free-robux-co_GM431946152.pdf
    • http://perpus.stikes-bhm.ac.id/perpusbhm//repository/how-to-get-minecraft-pe-for-free-ios_GM479516143.pdf
    • http://perpus.stikes-bhm.ac.id/perpusbhm//repository/free-spin-coin-master-2021-link_GM406889139.pdf
    • http://perpus.stikes-bhm.ac.id/perpusbhm//repository/coin-master-free-spins-link_GM406889139.pdf
    • http://perpus.stikes-bhm.ac.id/perpusbhm/repository/free-roblox-generator-for-roblox_GM431946152.pdf
    • http://perpus.stikes-bhm.ac.id/perpusbhm//repository/how-to-hack-coins-in-archery-master-3d_GM406889139.pdf
    • http://perpus.stikes-bhm.ac.id/perpusbhm//repository/free-robux-cards_GM431946152.pdf
    • http://perpus.stikes-bhm.ac.id/perpusbhm/repository/coin-master-spins-hack-2021_GM406889139.pdf
    • http://perpus.stikes-bhm.ac.id/perpusbhm//repository/how-to-get-minecraft-for-free-on-computer_GM479516143.pdf
    • http://perpus.stikes-bhm.ac.id/perpusbhm//repository/how-to-get-free-robux-no-human-verification_GM431946152.pdf
    • http://perpus.stikes-bhm.ac.id/perpusbhm/repository/how-to-get-free-golden-card-in-coin-master_GM406889139.pdf
    • https://rblx.land
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004c7c.bin
ca1c1c8d927583eb7d0f5ef85fbfe51581799dad5ec4786d9874bc37a750d03d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4C7C 25644 bytes
font_01_sfnt_off0000882c.bin
32450853c2a587c9c6e6d0f210085934e506353eb4eb401095cd3f740e9a71ef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x882C 9480 bytes
font_02_sfnt_off0000a5f7.bin
2b124103857761273712b4ba35fd952769b133cd88df24246d0abbfc30abcd7b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA5F7 18912 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.