Malicious PDF — malware analysis report

Static analysis result for SHA-256 fbb7241f056f3641…

MALICIOUS

PDF

36.8 KB Created: 2021-07-09 16:53:18 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: b8b1823886a5977e8543938b534eb840 SHA-1: 3e1fd6f8da2ab18ac8b507cae5d20382bd4ed632 SHA-256: fbb7241f056f3641a3fe4de9f9161f172e57f603e2ee926fde6738e5c016c3d4
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains numerous links to external websites, many of which are hosted on domains associated with game hacks and cheats. The document body explicitly mentions downloading free versions of games like Minecraft and offers links to resources for Roblox and Coin Master hacks. This suggests a lure to download potentially malicious files or visit compromised sites. The ML classifier also flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/479516143/play-full-version-of-minecraft-for-free-no-download-game-hack
    • https://www.johnofrolleston.com/admin/ckfinder/userfiles/files/free-robux-games_GM431946152.pdf
    • https://www.johnofrolleston.com/admin/ckfinder/userfiles/files/cheat-codes-roblox-hero-academy-tempest_GM431946152.pdf
    • https://www.johnofrolleston.com/admin/ckfinder/userfiles/files/how-to-make-clothes-on-roblox-for-free_GM431946152.pdf
    • https://www.johnofrolleston.com/admin/ckfinder/userfiles/files/coin-master-34-6-hack_GM406889139.pdf
    • https://www.johnofrolleston.com/admin/ckfinder/userfiles/files/free-pet-treats-coin-master_GM406889139.pdf
    • https://www.johnofrolleston.com/admin/ckfinder/userfiles/files/coin-master-free-link-blogspot_GM406889139.pdf
    • https://www.johnofrolleston.com/admin/ckfinder/userfiles/files/hacks-minecraft_GM479516143.pdf
    • https://www.johnofrolleston.com/admin/ckfinder/userfiles/files/free-roblox-accounts-that-work_GM431946152.pdf
    • https://www.johnofrolleston.com/admin/ckfinder/userfiles/files/how-to-get-more-followers-on-tiktok-free_GM835599320.pdf
    • https://www.johnofrolleston.com/admin/ckfinder/userfiles/files/roblox-gift-card-free-virtual-item_GM431946152.pdf
    • https://www.johnofrolleston.com/admin/ckfinder/userfiles/files/free-robux-present-for-roblox_GM431946152.pdf
    • https://www.johnofrolleston.com/admin/ckfinder/userfiles/files/hacks-for-minecraft-bedrock_GM479516143.pdf
    • https://www.johnofrolleston.com/admin/ckfinder/userfiles/files/free-minecraft-account-list_GM479516143.pdf
    • https://www.johnofrolleston.com/admin/ckfinder/userfiles/files/how-to-get-coin-master-free-spin-link_GM406889139.pdf
    • https://www.johnofrolleston.com/admin/ckfinder/userfiles/files/free-roblox-obbys-on-roblox_GM431946152.pdf
    • https://www.johnofrolleston.com/admin/ckfinder/userfiles/files/coin-master-hack-ios-download_GM406889139.pdf
    • https://www.johnofrolleston.com/admin/ckfinder/userfiles/files/free-minecraft-hacks_GM479516143.pdf
    • https://www.johnofrolleston.com/admin/ckfinder/userfiles/files/free-robux-no-human-verification-or-survey-2021_GM431946152.pdf
    • https://www.johnofrolleston.com/admin/ckfinder/userfiles/files/coin-master-free-coins-and-spins_GM406889139.pdf
    • https://www.johnofrolleston.com/admin/ckfinder/userfiles/files/free-roblox-accounts-with-robux-that-work-not-banned_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003926.bin
a89f1e4913a982d2b3588b9586473c8a1275c9524e72510fc14218596270374d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3926 22392 bytes
font_01_sfnt_off00006abd.bin
5e32e363d8c65815c6d01de56cc06b1aeed3e4c2338534b38083fd982a037e53		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6ABD 19184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.