Malicious PDF — malware analysis report

Static analysis result for SHA-256 ef0efd8f4345ea13…

MALICIOUS

PDF

44.3 KB Created: 2021-05-12 16:02:46 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 49dfdd0eda5fc3248ea15472a67a17be SHA-1: 3b7db69b5918d7f7c114c928f2532db69b04c962 SHA-256: ef0efd8f4345ea13d64225ba5326a291bbe4bbfb2589a974ca951e7e8a6fc43f
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains numerous embedded URLs, many of which are part of a link farm designed to attract users with promises of free game items like Robux and Coin Master spins. The ML classifier and PDF heuristics strongly indicate malicious intent, likely to direct users to phishing or malware-distributing websites. No scripts were extracted, but the extensive use of external links suggests a phishing or content-luring attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/free-robux-hack-game-hack
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/coin-master-heaven-free-spins-today_GM406889139.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/how-to-get-free-robux-app_GM431946152.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/roblox-hacked-com-2021_GM431946152.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/free-coin-master-spins-blog_GM406889139.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/coin-master-free-spins-link-today-instagram_GM406889139.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/free-minecraft-java-edition_GM479516143.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/get-free-coin-master_GM406889139.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/is-minecraft-realms-free_GM479516143.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/coin-master-spin-hack-link_GM406889139.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/free-coin-master-coins-and-spins_GM406889139.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/how-do-you-hack-roblox_GM431946152.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/free-spins-coin-master-october-17-2021_GM406889139.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/free-robux-generator-no-human-verification-or-survey-2021_GM431946152.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/coin-master-free-spins-hack-apk-download_GM406889139.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/how-to-install-minecraft-for-free-on-ios_GM479516143.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/coin-master-hack-xyz-download-free_GM406889139.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/coin-master-free-spin-link-new_GM406889139.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/actual-free-robux_GM431946152.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/coin-master-claim-free-spins_GM406889139.pdf
    • https://elearning.mtsn5blitar.com/__statics/gudangsoal/files/how-to-hack-roblox-to-get-robux_GM431946152.pdf
    • https://www.nrzroblox.com
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off0000504f.bin
5a62d7f25b4e8c976d435bc90c403ff6e2c31a3aac96a4a0ab506100e2632f3f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x504F 25516 bytes
font_01_sfnt_off00008a81.bin
8090616d8a5c0701bec53dfbbcc7430816d9db69864bd7c9067c717eb12c26b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8A81 18412 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.