Malicious PDF — malware analysis report

Static analysis result for SHA-256 e3d053d406d73912…

MALICIOUS

PDF

42.8 KB Created: 2021-05-13 16:53:51 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 53806ab24957ac926a3fab13bb92f7b7 SHA-1: c2e9ec94a859c156c55bba467048907aaad61043 SHA-256: e3d053d406d73912aac17abc3ecb221cfc7f95d41230b8ab39e1e34adfca1c93
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains numerous links to external websites, many of which are presented as 'free cheats' or 'generators' for popular games like Coin Master and Roblox. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of such links, suggesting a link farm designed to attract users with deceptive content. The ML classifier also strongly flagged this PDF as malicious, supporting the conclusion that it is part of a phishing or malware distribution scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9971

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/free-spin-coin-master-hack-2021-game-hack
    • https://elearning.mtsn9jombang.sch.id/__statics/gudangsoal/files/free-roblox-injector_GM431946152.pdf
    • http://elearning.mtsn9jombang.sch.id/__statics/gudangsoal/files/free-robux-generator-2021_GM431946152.pdf
    • https://elearning.mtsn9jombang.sch.id/__statics/gudangsoal/files/coin-master-spin-hack-without-verification_GM406889139.pdf
    • http://elearning.mtsn9jombang.sch.id/__statics/gudangsoal/files/coin-master-admin-free-spins_GM406889139.pdf
    • https://elearning.mtsn9jombang.sch.id/__statics/gudangsoal/files/how-to-hack-roblox-to-get-robux_GM431946152.pdf
    • https://elearning.mtsn9jombang.sch.id/__statics/gudangsoal/files/free-robux-generator-no-human-verification_GM431946152.pdf
    • https://elearning.mtsn9jombang.sch.id/__statics/gudangsoal/files/what-games-on-roblox-give-you-free-robux_GM431946152.pdf
    • https://elearning.mtsn9jombang.sch.id/__statics/gudangsoal/files/how-to-get-free-spins-on-coin-master-2021_GM406889139.pdf
    • https://elearning.mtsn9jombang.sch.id/__statics/gudangsoal/files/how-to-actually-get-free-robux_GM431946152.pdf
    • https://elearning.mtsn9jombang.sch.id/__statics/gudangsoal/files/free-spins-and-coins-blogspot-coin-master_GM406889139.pdf
    • https://elearning.mtsn9jombang.sch.id/__statics/gudangsoal/files/coin-master-heaven-links-free-spins_GM406889139.pdf
    • http://elearning.mtsn9jombang.sch.id/__statics/gudangsoal/files/how-many-villages-are-in-coin-master_GM406889139.pdf
    • http://elearning.mtsn9jombang.sch.id/__statics/gudangsoal/files/coin-master-hack-programers_GM406889139.pdf
    • https://elearning.mtsn9jombang.sch.id/__statics/gudangsoal/files/daily-spins-coin-master_GM406889139.pdf
    • http://elearning.mtsn9jombang.sch.id/__statics/gudangsoal/files/how-to-hack-someones-account-on-roblox_GM431946152.pdf
    • http://elearning.mtsn9jombang.sch.id/__statics/gudangsoal/files/free-coins-coin-master-hack_GM406889139.pdf
    • http://elearning.mtsn9jombang.sch.id/__statics/gudangsoal/files/roblox-catalog-free_GM431946152.pdf
    • http://elearning.mtsn9jombang.sch.id/__statics/gudangsoal/files/minecraft-pocket-edition-free_GM479516143.pdf
    • https://elearning.mtsn9jombang.sch.id/__statics/gudangsoal/files/www-coin-master_GM406889139.pdf
    • https://elearning.mtsn9jombang.sch.id/__statics/gudangsoal/files/como-hackear-coin-master-iphone_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004c34.bin
d74b9b2e74f363c514e2e41320559214cf5275bcf0a182b15a2b05534b9cd392		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4C34 24864 bytes
font_01_sfnt_off0000844f.bin
fb2d798100dc09ab9990163d1a71849b6ff749ff3ac9d3c750144c56980b6f28		 pdf-font-stream PDF embedded font (sfnt) at offset 0x844F 18456 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.