PDF malware analysis — malicious · e362168870af7d64

MALICIOUS

PDF

35.1 KB Created: 2021-07-08 20:19:38 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)

MD5: 5a1f9a871d59270ccfc38f825428e9fe SHA-1: 1b7101610768af5f3b89d95acfeeeb8798a35dbf SHA-256: e362168870af7d64c73f204d45fa63761bb99632b83894399203d319f246d266

62 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains numerous links to external websites and IP addresses, all advertising hacks and cheats for popular games. The presence of a visual download button lure further supports the intent to trick users into downloading malicious files. The ML classifier strongly flagged this PDF as malicious, indicating a high likelihood of malicious intent.

Machine Learning

Nyx PDF Classifier malicious score 0.9980

Heuristics 4

Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL

PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://netcdn.tw/app/431946152/roblox-free-clothes-hack-game-hack
- http://118.98.227.172/opac/repository/coin-master-hacks-reddit_GM406889139.pdf
- http://118.98.227.172/opac/repository/free-robux-website-no-password_GM431946152.pdf
- http://118.98.227.172/opac/repository/roblox-play-now-for-free-as-guest_GM431946152.pdf
- http://118.98.227.172/opac/repository/free-robux-generator-2021_GM431946152.pdf
- http://118.98.227.172/opac/repository/coin-master-spins-and-coins_GM406889139.pdf
- http://118.98.227.172/opac/repository/script-hack-jailbreak-roblox_GM431946152.pdf
- http://118.98.227.172/opac/repository/robux-generator-no-survey_GM431946152.pdf
- http://118.98.227.172/opac/repository/free-roblox-outfits-2021_GM431946152.pdf
- http://118.98.227.172/opac/repository/coin-master-hack-without-human-verification_GM406889139.pdf
- http://118.98.227.172/opac/repository/roblox-boxing-simulator-2-cheat_GM431946152.pdf
- http://118.98.227.172/opac/repository/how-to-use-aimbot-hacks-in-roblox_GM431946152.pdf
- http://118.98.227.172/opac/repository/meepcity-roblox-hack_GM431946152.pdf
- http://118.98.227.172/opac/repository/free-cool-roblox-outfits_GM431946152.pdf
- http://118.98.227.172/opac/repository/free-naruto-shirt-roblox_GM431946152.pdf
- http://118.98.227.172/opac/repository/free-coin-master-spins_GM406889139.pdf
- http://118.98.227.172/opac/repository/coin-master-free-spins-generator-no-verification_GM406889139.pdf
- http://118.98.227.172/opac/repository/hacks-for-legends-of-speed-roblox-download-pc_GM431946152.pdf
- http://118.98.227.172/opac/repository/www-coin-master-hack-com_GM406889139.pdf
- http://118.98.227.172/opac/repository/rbx-land-free-robux_GM431946152.pdf
- http://118.98.227.172/opac/repository/roblox-operation-scorpion-hack-dwonload_GM431946152.pdf
- http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00003190.bin` `59ab70a1273c1fb5d1cf1bae22135a85ca0fb4b852e26603eeef9c3c5b917677`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x3190	22516 bytes
`font_01_sfnt_off00006424.bin` `5ee29a81f5e6d86a84ce6a263a5f791f90c1f4b14f55e40609aef6b4e9ea1c16`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6424	19088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.