Malicious PDF — malware analysis report

Static analysis result for SHA-256 f1096b064ecdb52c…

MALICIOUS

PDF

46.9 KB Created: 2021-05-17 00:18:59 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 1385a1034d8de1a459c3d92fa052cdaa SHA-1: 0b277a2f3f8909a784e30bbfd00afd809b8b4547 SHA-256: f1096b064ecdb52c76ab2f9abfce4975202349abed84060305f0edaf56ee4c2e
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document contains embedded JavaScript and a large number of external links, many of which point to other PDF files. The document body, though partially corrupted, suggests a lure related to 'Minecraft server' and 'free Robux', indicating a social engineering attempt. The embedded JavaScript and the link farm heuristic suggest the document is designed to exploit users or manipulate search engine results, likely leading to further malicious content or downloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8948

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/how-to-make-a-minecraft-server-for-free-game-hack PDF link annotation
    • http://mou16-murmansk.ru/images/robux-generator-no-human-verification_GM431946152.pdfIn PDF document text
    • http://mou16-murmansk.ru/images/how-to-get-free-robux-without-verifying-2021_GM431946152.pdfIn PDF document text
    • http://mou16-murmansk.ru/images/op-rewards-robux_GM431946152.pdfIn PDF document text
    • http://mou16-murmansk.ru/images/hack-coin-master-apk-mod_GM406889139.pdfIn PDF document text
    • http://mou16-murmansk.ru/images/minecraft-java-edition-code-free_GM479516143.pdfIn PDF document text
    • http://mou16-murmansk.ru/images/minecraft-pe-016-0-apk-download-free_GM479516143.pdfIn PDF document text
    • http://mou16-murmansk.ru/images/free-robux-without-human-verification_GM431946152.pdfIn PDF document text
    • http://mou16-murmansk.ru/images/optifine-pe_GM479516143.pdfIn PDF document text
    • http://mou16-murmansk.ru/images/how-to-hack-and-get-free-robux_GM431946152.pdfIn PDF document text
    • http://mou16-murmansk.ru/images/free-robux-without-human-verification-2021_GM431946152.pdfIn PDF document text
    • http://mou16-murmansk.ru/images/coin-master-mod-version-free-download_GM406889139.pdfIn PDF document text
    • http://mou16-murmansk.ru/images/how-to-get-minecraft-for-free-on-xbox-one_GM479516143.pdfIn PDF document text
    • http://mou16-murmansk.ru/images/coin-master-free-2021_GM406889139.pdfIn PDF document text
    • http://mou16-murmansk.ru/images/how-to-hack-golden-card-in-coin-master_GM406889139.pdfIn PDF document text
    • http://mou16-murmansk.ru/images/get-free-spins-on-coin-master-no-human-verification_GM406889139.pdfIn PDF document text
    • http://mou16-murmansk.ru/images/free-robux-legit_GM431946152.pdfIn PDF document text
    • http://mou16-murmansk.ru/images/minecraft-java-free-account_GM479516143.pdfIn PDF document text
    • http://mou16-murmansk.ru/images/free-coin-spin-daily-link-net_GM406889139.pdfIn PDF document text
    • http://mou16-murmansk.ru/images/roblox-piano-hack_GM431946152.pdfIn PDF document text
    • http://mou16-murmansk.ru/images/free-robux-without-downloading-anything_GM431946152.pdfIn PDF document text
    • https://youtuIn PDF document text
    • http://www.freenom.comHeyIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004b3e.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4B3E 31284 bytes
SHA-256: c23c01ce19a4ae931a88182dd70d7a60e15d74aa6d24c174f6cbf1e513faa92d
font_01_sfnt_off00008b4d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8B4D 2912 bytes
SHA-256: 02b35010e2614e3cc95ac6414c49295350c91fdfcc4b4cad27ffdbc10e80df7f
font_02_sfnt_off0000954a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x954A 18156 bytes
SHA-256: 7ebd6cc6f7d73451d43dfe99dc02d56d86c4e3c51693199467050b16fbe82799

Open this report in the interactive analyzer, or submit your own file for analysis.