Malicious PDF — malware analysis report

Static analysis result for SHA-256 fdabd3a900e0bf7c…

MALICIOUS

PDF

49.8 KB Created: 2021-05-16 04:06:01 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: eade93b71188cb6556b325e74a7546aa SHA-1: 86d6f1805274a45279e6489dbcdaa34888d500f6 SHA-256: fdabd3a900e0bf7c1772ca7a1cff5939bca78e0d6990ea2ecc472f5a760aeabe
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains numerous embedded links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to external websites. The document body and extracted URLs suggest a lure related to game cheats and accounts, likely to drive traffic to SEO spam pages or potentially host malicious content. While no scripts were explicitly extracted, the nature of the embedded links and the ML_NYX_PDF_MALICIOUS flag indicate a high likelihood of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8642

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/free-roblox-accounts-2021-with-robux-game-hack
    • https://www.flexcable.com/images/hacks-para-coin-master_GM406889139.pdf
    • https://www.flexcable.com/images/how-to-get-free-robux-without-verifying-2021_GM431946152.pdf
    • https://www.flexcable.com/images/roblox-free-robux-no-human-verification_GM431946152.pdf
    • https://www.flexcable.com/images/free-spins-for-coin-master-game_GM406889139.pdf
    • https://www.flexcable.com/images/how-to-get-free-robux-fast-and-easy_GM431946152.pdf
    • https://www.flexcable.com/images/coin-master-free-spin-and-coins-links_GM406889139.pdf
    • https://www.flexcable.com/images/is-java-minecraft-free_GM479516143.pdf
    • https://www.flexcable.com/images/cute-free-roblox-outfits_GM431946152.pdf
    • https://www.flexcable.com/images/master-coin-hack-game_GM406889139.pdf
    • https://www.flexcable.com/images/apps-to-get-free-robux_GM431946152.pdf
    • https://www.flexcable.com/images/how-to-get-free-premium-roblox_GM431946152.pdf
    • https://www.flexcable.com/images/free-robux-no-human-verification_GM431946152.pdf
    • https://www.flexcable.com/images/jailbreak-roblox-hack_GM431946152.pdf
    • https://www.flexcable.com/images/how-to-get-a-refund-on-roblox-2021_GM431946152.pdf
    • https://www.flexcable.com/images/minecraft-account-hacked_GM479516143.pdf
    • https://www.flexcable.com/images/free-robux-hack-us_GM431946152.pdf
    • https://www.flexcable.com/images/coin-master-hack-without-verification_GM406889139.pdf
    • https://www.flexcable.com/images/how-to-get-robux-on-roblox_GM431946152.pdf
    • https://www.flexcable.com/images/coin-master-free-spins-link-today-blogspot_GM406889139.pdf
    • https://www.flexcable.com/images/coin-master-free-spins-app_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004bce.bin
ed9074b0ae9ebfac8abd1f46c696f657e4f7c1d08c6d639af0293c17fef5d9ab		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4BCE 25488 bytes
font_01_sfnt_off00008729.bin
db1860fd79a3f2cbe32e2bada3ba4c68a2d581b7a24294387cd777233cc9cef6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8729 2828 bytes
font_02_sfnt_off000090da.bin
9a13c2580265a78e8a7257496a31ee0055738af7e20a5661c2902efe4bf05ce5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x90DA 5596 bytes
font_03_sfnt_off00009d82.bin
a3899638bf51e335cbc40673d1471e0832e9a39f88469ef4ed0809ba61e6f618		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9D82 19076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.