Malicious PDF — malware analysis report

Static analysis result for SHA-256 dc5eef9298b0344c…

MALICIOUS

PDF

46.9 KB Created: 2021-06-11 12:41:38 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: b2f27424eaebfe66322ffb64cf8ad2aa SHA-1: 52548bf5a9e1e60e3b4f08bee145462f5d515ec9 SHA-256: dc5eef9298b0344cd273c6f3b734cf2bce857c1a8c6d47c37d1aace84c83a67f
142 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, many of which are SEO-optimized and point to game-related content, suggesting a link farm or phishing lure. The presence of a 'browser extension/update installation lure' heuristic indicates the document likely directs users to install malicious software or extensions. While no scripts were explicitly extracted, the PDF structure and numerous external links are indicative of a malicious document designed to redirect users to potentially harmful websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9832

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.tw/app/431946152/hacker-keeps-deleting-baseplate-roblox-game-hack
    • http://librarysenior.com/repository/is-roblox-free-on-nintendo-switch_GM431946152.pdf
    • http://librarysenior.com//repository/get-me-robux_GM431946152.pdf
    • http://librarysenior.com//repository/minecraft-hacked-client-bedrock_GM479516143.pdf
    • http://librarysenior.com//repository/free-chest-coin-master_GM406889139.pdf
    • http://librarysenior.com/repository/legit-free-spins-coin-master_GM406889139.pdf
    • http://librarysenior.com/repository/get-free-robux-com_GM431946152.pdf
    • http://librarysenior.com/repository/easy-and-quick-free-robux_GM431946152.pdf
    • http://librarysenior.com//repository/coin-master-mod-apk-unlimited-spin-download-free-full-version_GM406889139.pdf
    • http://librarysenior.com//repository/free-robux-not-a-scam_GM431946152.pdf
    • http://librarysenior.com/repository/how-to-hack-roblox-accounts-2021-mobile_GM431946152.pdf
    • http://librarysenior.com//repository/coin-master-free-download-for-pc_GM406889139.pdf
    • http://librarysenior.com/repository/can-you-hack-coin-master_GM406889139.pdf
    • http://librarysenior.com/repository/coin-master-hack-version-ios_GM406889139.pdf
    • http://librarysenior.com//repository/moon-active_GM406889139.pdf
    • http://librarysenior.com/repository/how-to-get-free-spins-on-coin-master-hack_GM406889139.pdf
    • http://librarysenior.com/repository/coin-master-free-spin-group_GM406889139.pdf
    • http://librarysenior.com/repository/android-fast-roblox-hack-2021_GM431946152.pdf
    • http://librarysenior.com/repository/coin-master-daily-free-spins-today_GM406889139.pdf
    • http://librarysenior.com//repository/free-coins-coin-master-link_GM406889139.pdf
    • http://librarysenior.com/repository/coin-master-jackpot-madness-hack_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00005222.bin
cac24669d70c36673c72bd6619e5dadb7ddc517d2a9e7630eee16d5a92471e4e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5222 27740 bytes
font_01_sfnt_off00009284.bin
5bc04526eef4295b49bd388b14b3cb1188c678edaf87e22410ecbfdeaefa4a3b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9284 19036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.