Malicious PDF — malware analysis report

Static analysis result for SHA-256 ee010b7af31dccc8…

MALICIOUS

PDF

35.6 KB Created: 2021-06-27 23:16:34 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 04d976b207d662b996ab80148c8ec612 SHA-1: 1ba3f02a9439fca9d72cf916263b51ba38dfc271 SHA-256: ee010b7af31dccc8347261ac692fb2996abd53f041d17f64d3e818083a71f616
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF document contains numerous links to external websites, many of which are hosted on domains associated with SEO link farms. The primary URL, http://netcdn.co/app/431946152/roblox-money-cheat-game-hack, suggests a lure for downloading a game cheat or hack. The ML classifier strongly flagged this PDF as malicious, and the presence of a download button lure further supports a malicious intent to trick users into downloading potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/roblox-money-cheat-game-hack
    • https://www.shaillybeauty.com.au/uploaded_files/userfiles/files/robux-hack-no-verification_GM431946152.pdf
    • https://www.shaillybeauty.com.au/uploaded_files/userfiles/files/whats-robux_GM431946152.pdf
    • https://www.shaillybeauty.com.au/uploaded_files/userfiles/files/anti-cheat-bypass-roblox_GM431946152.pdf
    • https://www.shaillybeauty.com.au/uploaded_files/userfiles/files/how-to-get-free-robux-without-download-apps-or-survey_GM431946152.pdf
    • https://www.shaillybeauty.com.au/uploaded_files/userfiles/files/real-free-robux-generator_GM431946152.pdf
    • https://www.shaillybeauty.com.au/uploaded_files/userfiles/files/how-to-get-free-robux-no-survey_GM431946152.pdf
    • https://www.shaillybeauty.com.au/uploaded_files/userfiles/files/how-to-hack-las-vegas-roblox_GM431946152.pdf
    • https://www.shaillybeauty.com.au/uploaded_files/userfiles/files/coin-master-hack-online-android_GM406889139.pdf
    • https://www.shaillybeauty.com.au/uploaded_files/userfiles/files/roblox-hack-ios_GM431946152.pdf
    • https://www.shaillybeauty.com.au/uploaded_files/userfiles/files/kazuin-how-to-hack-in-roblox_GM431946152.pdf
    • https://www.shaillybeauty.com.au/uploaded_files/userfiles/files/how-to-get-2021-free-robux-on-roblox_GM431946152.pdf
    • https://www.shaillybeauty.com.au/uploaded_files/userfiles/files/free-unlimited-coins-for-coin-master_GM406889139.pdf
    • https://www.shaillybeauty.com.au/uploaded_files/userfiles/files/comment-hacker-roblox-sans-logiciel_GM431946152.pdf
    • https://www.shaillybeauty.com.au/uploaded_files/userfiles/files/ways-to-get-free-robux-2021_GM431946152.pdf
    • https://www.shaillybeauty.com.au/uploaded_files/userfiles/files/minecraft-book-collection_GM479516143.pdf
    • https://www.shaillybeauty.com.au/uploaded_files/userfiles/files/how-to-get-minecraft-for-free-ios_GM479516143.pdf
    • https://www.shaillybeauty.com.au/uploaded_files/userfiles/files/how-to-hack-in-roblox-jailbreack_GM431946152.pdf
    • https://www.shaillybeauty.com.au/uploaded_files/userfiles/files/code-to-redeem-free-robux_GM431946152.pdf
    • https://www.shaillybeauty.com.au/uploaded_files/userfiles/files/coin-master-hack-apk-android_GM406889139.pdf
    • https://www.shaillybeauty.com.au/uploaded_files/userfiles/files/how-to-make-a-minecraft-bedrock-server-for-free_GM479516143.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000033e5.bin
9e9e884cadc1dff3e31d67fd26af5ea7b2f96c4571c502d87429b94a59dd9989		 pdf-font-stream PDF embedded font (sfnt) at offset 0x33E5 22520 bytes
font_01_sfnt_off000065f8.bin
1195b0eac1940e0cd552a3831d9a524f6d4f1f3f7dd661e6359170912f15b7a8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65F8 19132 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.