Malicious PDF — malware analysis report

Static analysis result for SHA-256 e243f05d903bce51…

MALICIOUS

PDF

34.3 KB Created: 2021-06-29 16:44:09 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: a65069e5dbbac07170defda7db89754c SHA-1: 41101ace18b693e8fda4975c38f139cfdea74db1 SHA-256: e243f05d903bce5185cbc0c67f6fe6acf0d91429f544916e78318d41829dbb1b
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF document exhibits characteristics of a malicious lure, specifically a link farm designed to redirect users to potentially harmful content. The document body and extracted URLs heavily promote game hacks and cheats for popular games like Roblox and Minecraft, aiming to trick users into downloading malware or visiting malicious sites. The presence of numerous external links, many pointing to PDF files with similar SEO-like slugs, strongly suggests a coordinated effort to distribute malicious payloads or phish for credentials.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/roblox-tower-defense-hacks-game-hack
    • http://stikespantirapih.ac.id/home/repository/rbx-sites_GM431946152.pdf
    • http://stikespantirapih.ac.id/home/repository/roblox-promo-code-to-get-free-robux_GM431946152.pdf
    • http://stikespantirapih.ac.id/home/repository/roblox-free-online-without-downloading_GM431946152.pdf
    • http://stikespantirapih.ac.id/home/repository/copying-roblox-games-for-free-v3rmillion_GM431946152.pdf
    • http://stikespantirapih.ac.id/home/repository/free-roblox-object-en-vedette-paster_GM431946152.pdf
    • http://stikespantirapih.ac.id/home/repository/sites-for-free-spins-for-coin-master_GM406889139.pdf
    • http://stikespantirapih.ac.id/home/repository/coin-master-hacksco_GM406889139.pdf
    • http://stikespantirapih.ac.id/home/repository/how-to-cheat-in-roblox-moon-pet-simulator_GM431946152.pdf
    • http://stikespantirapih.ac.id/home/repository/youtube-inquisitormaster-free-robux_GM431946152.pdf
    • http://stikespantirapih.ac.id/home/repository/lazyblocks-com-free-robux_GM431946152.pdf
    • http://stikespantirapih.ac.id/home/repository/free-roblox-jailbreak_GM431946152.pdf
    • http://stikespantirapih.ac.id/home/repository/roblox-lumber-tycoon-hack-money_GM431946152.pdf
    • http://stikespantirapih.ac.id/home/repository/minecraft-bedrock-edition-pc-download-free_GM479516143.pdf
    • http://stikespantirapih.ac.id/home/repository/free-roblox-cards-no-survey_GM431946152.pdf
    • http://stikespantirapih.ac.id/home/repository/roblox-games-online-free-no-download_GM431946152.pdf
    • http://stikespantirapih.ac.id/home/repository/minecraft-windows-10-free_GM479516143.pdf
    • http://stikespantirapih.ac.id/home/repository/minecraft-java-hacks_GM479516143.pdf
    • http://stikespantirapih.ac.id/home/repository/coin-master-date-and-time-hack_GM406889139.pdf
    • http://stikespantirapih.ac.id/home/repository/royal-high-school-roblox-how-to-get-free-mony_GM431946152.pdf
    • http://stikespantirapih.ac.id/home/repository/esp-hack-roblox-cbro_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002e9c.bin
9e6eb0afb6e98469e377e2cb5607187e5e6c0d28f6306a4084e817f2ee5decdf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2E9C 22620 bytes
font_01_sfnt_off00006121.bin
c25912ee2cb0422c24bd29158f6562fb335ad93dd1de16ecee9d7822a5689078		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6121 18988 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.