Malicious PDF — malware analysis report

Static analysis result for SHA-256 f9df3d6508d27bd7…

MALICIOUS

PDF

44.0 KB Created: 2021-05-13 22:41:46 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: aed81586bd722cca9ded6e00ba9b6b8e SHA-1: 71b6f9567bd0f777382481c5d7c3850c2d554453 SHA-256: f9df3d6508d27bd7710749d205b1d258c9c4ea922b9d75002900b0a3e0d08e1a
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains numerous embedded links and a "link farm" designed to direct users to external websites, many of which are related to game cheats and virtual currency. The ML classifier strongly flagged this PDF as malicious, and the presence of many external links suggests a phishing or malware distribution attempt. No scripts were extracted, but the document's structure and embedded URLs indicate a likely attempt to trick users into visiting malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9969

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/how-to-hack-roblox-games-game-hack
    • http://serviio.org/images/how-to-make-free-robux_GM431946152.pdf
    • http://serviio.org/images/free-spins-coin-master-app_GM406889139.pdf
    • http://serviio.org/images/coin-master-free-spins-23-march-2021_GM406889139.pdf
    • http://serviio.org/images/how-to-get-free-skins-in-roblox_GM431946152.pdf
    • http://serviio.org/images/how-do-you-install-minecraft-for-free_GM479516143.pdf
    • http://serviio.org/images/free-coin-master-gifts_GM406889139.pdf
    • http://serviio.org/images/free-robux-hack_GM431946152.pdf
    • http://serviio.org/images/free-money-links-coin-master_GM406889139.pdf
    • http://serviio.org/images/free-robux-promo-codes-2021_GM431946152.pdf
    • http://serviio.org/images/give-me-robux-now_GM431946152.pdf
    • http://serviio.org/images/free-spins-on-coin-master-2021_GM406889139.pdf
    • http://serviio.org/images/coin-master-free-spins-link-today-new_GM406889139.pdf
    • http://serviio.org/images/win-free-robux_GM431946152.pdf
    • http://serviio.org/images/coin-master-game-android-free-download_GM406889139.pdf
    • http://serviio.org/images/free-spins-for-coin-master-app_GM406889139.pdf
    • http://serviio.org/images/coin-master-hack-xyz_GM406889139.pdf
    • http://serviio.org/images/coin-master-card-link-free_GM406889139.pdf
    • http://serviio.org/images/roblox-com-free-robux_GM431946152.pdf
    • http://serviio.org/images/how-to-get-free-cards-in-coin-master_GM406889139.pdf
    • http://serviio.org/images/free-robux-no-human-verification-or-survey-or-download-2021_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000049a6.bin
0dd50b9285057aa4e05f34e9ad4c00b9078e2696f1b046e44dba6c873385bac5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x49A6 27800 bytes
font_01_sfnt_off000088b3.bin
f0530f62cc2e234d68a11618bd0f649c02fcf1ebf2f14054a2e3aba439076e74		 pdf-font-stream PDF embedded font (sfnt) at offset 0x88B3 18608 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.