Malicious PDF — malware analysis report

Static analysis result for SHA-256 f915ea85ea50dda3…

MALICIOUS

PDF

34.5 KB Created: 2021-07-04 12:35:51 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 18735862c6a264f238039cad9beb876d SHA-1: 9db3c5c07de8cf4da0dff14bbf2a9e221d523c86 SHA-256: f915ea85ea50dda3342357af604dedf9c9c2190b595db1ab91611e80cd7be0ac
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains numerous links to websites offering game hacks and virtual currency, indicating a phishing or scam attempt. The ML classifier strongly flagged this PDF as malicious, and the presence of embedded URIs suggests it is designed to redirect users to potentially harmful sites. No scripts were extracted, but the document's structure and embedded links point towards a lure for users interested in game exploits.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/431946152/roblox-hacking-website-game-hack
    • http://perpustakaan.sman2bondowoso.sch.id/repository/free-roblox-accounts-with-robux-that-work-not-banned_GM431946152.pdf
    • http://perpustakaan.sman2bondowoso.sch.id/repository/free-spins-and-coins-coin-master-2021_GM406889139.pdf
    • http://perpustakaan.sman2bondowoso.sch.id/repository/how-do-u-get-robux_GM431946152.pdf
    • http://perpustakaan.sman2bondowoso.sch.id/repository/free-spins-coin-master-october-13-2021_GM406889139.pdf
    • http://perpustakaan.sman2bondowoso.sch.id/repository/coin-master-daily-free-spins-link-today-blog_GM406889139.pdf
    • http://perpustakaan.sman2bondowoso.sch.id/repository/free-robux-hack_GM431946152.pdf
    • http://perpustakaan.sman2bondowoso.sch.id/repository/roblox-online-hack-free-robux_GM431946152.pdf
    • http://perpustakaan.sman2bondowoso.sch.id/repository/free-robux-no-human-verification-2021_GM431946152.pdf
    • http://perpustakaan.sman2bondowoso.sch.id/repository/roblox-shirt-template-free_GM431946152.pdf
    • http://perpustakaan.sman2bondowoso.sch.id/repository/how-to-get-free-clothes-on-roblox-no-bc_GM431946152.pdf
    • http://perpustakaan.sman2bondowoso.sch.id/repository/games-that-can-be-hacked_GM431946152.pdf
    • http://perpustakaan.sman2bondowoso.sch.id/repository/moonactive-coin-master-free-spins-link_GM406889139.pdf
    • http://perpustakaan.sman2bondowoso.sch.id/repository/how-to-get-2021-robux-for-free_GM431946152.pdf
    • http://perpustakaan.sman2bondowoso.sch.id/repository/free-roblox-level-7-hack_GM431946152.pdf
    • http://perpustakaan.sman2bondowoso.sch.id/repository/how-to-get-free-coins-on-coin-master_GM406889139.pdf
    • http://perpustakaan.sman2bondowoso.sch.id/repository/apps-for-free-robux_GM431946152.pdf
    • http://perpustakaan.sman2bondowoso.sch.id/repository/how-to-use-cheat-engine-on-roblox-high-school_GM431946152.pdf
    • http://perpustakaan.sman2bondowoso.sch.id/repository/get-free-spins-for-coin-master_GM406889139.pdf
    • http://perpustakaan.sman2bondowoso.sch.id/repository/coin-master-cheats-and-hacks_GM406889139.pdf
    • http://perpustakaan.sman2bondowoso.sch.id/repository/how-do-you-hack-roblox-adopt-me_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003323.bin
c1cb1e71d0863e45a65ada05bef5aa062fe8084848c353b79024d05460afa8d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3323 22624 bytes
font_01_sfnt_off000065c3.bin
62b0d36ce948ffdc11f28ab91e3b337edea8e9919308700d4ef5645592577123		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65C3 19076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.