Malicious PDF — malware analysis report

Static analysis result for SHA-256 deade1a52ce59b75…

MALICIOUS

PDF

44.8 KB Created: 2021-06-07 09:14:07 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: f9a829891c7be755c1bd6e5092950117 SHA-1: 54c427afbf6e5a9c76ac4ece1838fd9575ba1118 SHA-256: deade1a52ce59b7590699466776b2dbd76e2def5a2c789d0738f798abe6975e5
110 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document contains numerous embedded URLs that form a link farm, likely intended to drive traffic to malicious content. The document body and heuristics indicate a lure for game hacks, suggesting an attempt to trick users into downloading malware or visiting compromised sites. While no scripts were directly extracted, the PDF structure and extensive external links are strong indicators of malicious intent, possibly involving JavaScript execution for further payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9865

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.tw/app/431946152/roblox-hack-2021-android-fast-game-hack PDF link annotation
    • http://repository.ummy.ac.id/repository/is-roblox-free-on-nintendo-switch_GM431946152.pdfIn PDF document text
    • http://repository.ummy.ac.id//repository/coin-master-offline-hack_GM406889139.pdfIn PDF document text
    • http://repository.ummy.ac.id//repository/free-coins-coin-master-blog_GM406889139.pdfIn PDF document text
    • http://repository.ummy.ac.id//repository/free-coins-and-spins_GM406889139.pdfIn PDF document text
    • http://repository.ummy.ac.id//repository/how-to-become-a-hacker-in-roblox_GM431946152.pdfIn PDF document text
    • http://repository.ummy.ac.id//repository/how-to-get-free-robux-on-roblox_GM431946152.pdfIn PDF document text
    • http://repository.ummy.ac.id//repository/coin-master-free-spins-link-no-verification-2021_GM406889139.pdfIn PDF document text
    • http://repository.ummy.ac.id//repository/free-robux-on-phone_GM431946152.pdfIn PDF document text
    • http://repository.ummy.ac.id//repository/bloxpage-free-robux_GM431946152.pdfIn PDF document text
    • http://repository.ummy.ac.id//repository/100-free-spins-coin-master_GM406889139.pdfIn PDF document text
    • http://repository.ummy.ac.id//repository/roblox-free-robux-no-verification_GM431946152.pdfIn PDF document text
    • http://repository.ummy.ac.id/repository/roblox-scripts-for-games-hack_GM431946152.pdfIn PDF document text
    • http://repository.ummy.ac.id//repository/free-spin-today-coin-master_GM406889139.pdfIn PDF document text
    • http://repository.ummy.ac.id//repository/free-spins-and-coins-coin-master-links_GM406889139.pdfIn PDF document text
    • http://repository.ummy.ac.id//repository/coin-master-free-spin-and-coins-links-2021_GM406889139.pdfIn PDF document text
    • http://repository.ummy.ac.id//repository/hack-coin-master-apk-33_GM406889139.pdfIn PDF document text
    • http://repository.ummy.ac.id//repository/roblox-promo-codes-for-free-robux_GM431946152.pdfIn PDF document text
    • http://repository.ummy.ac.id//repository/free-roblox-generator_GM431946152.pdfIn PDF document text
    • http://repository.ummy.ac.id//repository/coin-master-hack-pc-cheat-engine_GM406889139.pdfIn PDF document text
    • http://repository.ummy.ac.id//repository/how-do-you-hack-for-2021000-coins-on-flip-master_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00004f09.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4F09 25268 bytes
SHA-256: ba94452123aae70e67346c57c4ef7112da4fdab5a969fac50bebc8a1fd97c38f
font_01_sfnt_off000089a1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x89A1 19144 bytes
SHA-256: e511c8b9e63814c8fb7b20f0adee7d299885bdaf8d32142173eea7bb25d1d7b9

Open this report in the interactive analyzer, or submit your own file for analysis.