Malicious PDF — malware analysis report

Static analysis result for SHA-256 fb3a3ca1f1ec66c4…

MALICIOUS

PDF

46.3 KB Created: 2021-05-17 03:34:34 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-15
MD5: 0bfeceee1403ffd7c6f208a46f896d38 SHA-1: 4b45ed094def8f6a780ba5cda2628e686247c320 SHA-256: fb3a3ca1f1ec66c4a6c39082e9cbb2a83cbb66e868b3a24715af9cffcf6301ae
142 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous links to external websites, many of which are structured as SEO link farms, suggesting a malicious intent to drive traffic to potentially harmful content. The presence of a 'MFA / one-time-code harvesting lure' heuristic indicates the document may be designed to phish for credentials or session tokens. The ML classifier also flagged this PDF as malicious with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8696

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/free-robux-no-verification-2021-android-game-hack PDF link annotation
    • https://de-licht.com/image/data/files/how-to-get-minecraft-bedrock-edition-on-pc-for-free_GM479516143.pdfIn PDF document text
    • https://de-licht.com/image/data/files/free-spins-coin-master-hack-2021_GM406889139.pdfIn PDF document text
    • https://de-licht.com/image/data/files/free-roebucks-no-human-verification_GM431946152.pdfIn PDF document text
    • https://de-licht.com/image/data/files/coin-master-daily-free-link_GM406889139.pdfIn PDF document text
    • https://de-licht.com/image/data/files/how-to-generate-free-coin-master-spin_GM406889139.pdfIn PDF document text
    • https://de-licht.com/image/data/files/free-online-minecraft-server_GM479516143.pdfIn PDF document text
    • https://de-licht.com/image/data/files/how-to-buy-robux-for-free_GM431946152.pdfIn PDF document text
    • https://de-licht.com/image/data/files/free-robux-for-kids_GM431946152.pdfIn PDF document text
    • https://de-licht.com/image/data/files/easy-roblox-today_GM431946152.pdfIn PDF document text
    • https://de-licht.com/image/data/files/robux-gainer_GM431946152.pdfIn PDF document text
    • https://de-licht.com/image/data/files/how-do-i-get-free-coins-on-coin-master_GM406889139.pdfIn PDF document text
    • https://de-licht.com/image/data/files/free-robux-without-human-verification-2021_GM431946152.pdfIn PDF document text
    • https://de-licht.com/image/data/files/how-to-get-free-robux-on-ipad_GM431946152.pdfIn PDF document text
    • https://de-licht.com/image/data/files/minecraft-hacked-client_GM479516143.pdfIn PDF document text
    • https://de-licht.com/image/data/files/50-free-spins-coin-master_GM406889139.pdfIn PDF document text
    • https://de-licht.com/image/data/files/how-to-get-free-robux-as-a-kid_GM431946152.pdfIn PDF document text
    • https://de-licht.com/image/data/files/coin-master-free-spin-daily-bonus_GM406889139.pdfIn PDF document text
    • https://de-licht.com/image/data/files/heroes-online-roblox_GM431946152.pdfIn PDF document text
    • https://de-licht.com/image/data/files/coin-master-free-spins-moonactive_GM406889139.pdfIn PDF document text
    • https://de-licht.com/image/data/files/how-to-get-stuff-that-cost-coins-free-mcpe-master_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004a59.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4A59 26608 bytes
SHA-256: da21ca57c73e988017740573776c783682fa8e57437465a37d4ddac331a2c108
font_01_sfnt_off000085c2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x85C2 2912 bytes
SHA-256: 02b35010e2614e3cc95ac6414c49295350c91fdfcc4b4cad27ffdbc10e80df7f
font_02_sfnt_off00008fbf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8FBF 19176 bytes
SHA-256: 2db8195158682863467aa5049c27493158ce29af4e73d213a7d216c5b0c72741

Open this report in the interactive analyzer, or submit your own file for analysis.