Malicious PDF — malware analysis report

Static analysis result for SHA-256 eb2674520b54518c…

MALICIOUS

PDF

34.8 KB Created: 2021-07-05 00:42:56 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 57a642676912aea4f4c3e79f1032a4d7 SHA-1: 69b907119de63b64f2068f18631db65c30ac15f4 SHA-256: eb2674520b54518c6e3a7685cbc4e9c7840717be966c6c445da2401330f47ba6
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of embedded links, many pointing to IP addresses, that are designed to lure users into downloading files related to game hacks and cheats. The document body and extracted URLs strongly suggest a phishing or scam attempt to trick users into downloading malware disguised as game cheats. The ML classifier also flagged this PDF as malicious with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/431946152/how-do-we-get-free-robux-game-hack
    • http://202.56.165.220/digilab/repository/roblox-com-games-referrer-roblox-player_GM431946152.pdf
    • http://202.56.165.220/digilab/repository/roblox-booga-booga-hack_GM431946152.pdf
    • http://202.56.165.220/digilab/repository/how-to-sue-roblox_GM431946152.pdf
    • http://202.56.165.220/digilab/repository/dungeon-quest-hack-roblox_GM431946152.pdf
    • http://202.56.165.220/digilab/repository/how-to-get-free-outfits-on-roblox_GM431946152.pdf
    • http://202.56.165.220/digilab/repository/coin-master-tricks-and-hacks_GM406889139.pdf
    • http://202.56.165.220/digilab/repository/roblox-admin-hack-adopt-and-raise-a-cute-kid_GM431946152.pdf
    • http://202.56.165.220/digilab/repository/cheat-download-for-hacking-roblox_GM431946152.pdf
    • http://202.56.165.220/digilab/repository/coin-master-hack-tool-no-survey_GM406889139.pdf
    • http://202.56.165.220/digilab/repository/roblox-hack-console-download_GM431946152.pdf
    • http://202.56.165.220/digilab/repository/roblox-hackfree-robux-and-membership-hackaron_GM431946152.pdf
    • http://202.56.165.220/digilab/repository/no-verify-free-robux_GM431946152.pdf
    • http://202.56.165.220/digilab/repository/roblox-hack-to-get-roblox_GM431946152.pdf
    • http://202.56.165.220/digilab/repository/pokemon-go-free-pokemon-generator_GM1094591345.pdf
    • http://202.56.165.220/digilab/repository/kazok-how-to-hack-roblox-accounts_GM431946152.pdf
    • http://202.56.165.220/digilab/repository/how-can-you-get-robux_GM431946152.pdf
    • http://202.56.165.220/digilab/repository/rbx-points-get-free-robux-points_GM431946152.pdf
    • http://202.56.165.220/digilab/repository/how-to-get-800-robux-free_GM431946152.pdf
    • http://202.56.165.220/digilab/repository/roblox-android-rape-hack_GM431946152.pdf
    • http://202.56.165.220/digilab/repository/how-to-get-free-robux-2021-october_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000302b.bin
275cf38f2fec79395ef377848adef96f863d42955aa87a4ef694e5d539fc16ff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x302B 22424 bytes
font_01_sfnt_off00006203.bin
77d4dc97c307d7c63aabcd07bfab883361bf99189f8f493507813bf950ab756f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6203 19352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.