Malicious PDF — malware analysis report

Static analysis result for SHA-256 0273abc1ee9e4da8…

MALICIOUS

PDF

41.7 KB Created: 2021-04-29 05:51:17 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-14
MD5: 55d34b4b9cbf5947aad40015635e9193 SHA-1: 3ad915e2e524084d9b2c03d027c2dba064e4d7a3 SHA-256: 0273abc1ee9e4da877ed150a822c882cd59236600a082707d17d88306359c6f4
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The ML classifier strongly indicates maliciousness, supported by heuristics identifying a browser update lure and a password-protected archive handoff. The document body contains URLs that likely lead to malicious content or further infection vectors. The combination of social engineering tactics suggests an attempt to trick the user into downloading and executing a payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9941

Heuristics 5

  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/como-ser-fuerte-en-boxing-simulator-2-roblox-cheat-game-hack PDF link annotation
    • https://www.regaloscabalgatas.es/ckfinder/userfiles/files/where-to-put-code-for-free-roblox.pdfIn PDF document text
    • https://www.regaloscabalgatas.es/ckfinder/userfiles/files/free-sprite-shirt-roblox.pdfIn PDF document text
    • https://www.regaloscabalgatas.es/ckfinder/userfiles/files/free-robux-cheat-2021.pdfIn PDF document text
    • https://www.regaloscabalgatas.es/ckfinder/userfiles/files/hack-to-survive-roblox.pdfIn PDF document text
    • https://www.regaloscabalgatas.es/ckfinder/userfiles/files/free-roblox-shirt-templates-2021.pdfIn PDF document text
    • https://www.regaloscabalgatas.es/ckfinder/userfiles/files/roblox-hack-mining-simulator-rebhirt.pdfIn PDF document text
    • https://www.regaloscabalgatas.es/ckfinder/userfiles/files/nike-shirt-roblox-free.pdfIn PDF document text
    • https://www.regaloscabalgatas.es/ckfinder/userfiles/files/how-to-hack-roblox-games-with-artmoney.pdfIn PDF document text
    • https://www.regaloscabalgatas.es/ckfinder/userfiles/files/free-robux-promo-codes-2021-october.pdfIn PDF document text
    • https://www.regaloscabalgatas.es/ckfinder/userfiles/files/how-to-get-free-stuff-on-roblox-mobile.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off000042c0.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x42C0 25712 bytes
SHA-256: dfd075df291d7ddffbd7179f00a775fd13027609b698f877d173eb3471b1dda7
font_01_sfnt_off00007e49.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7E49 19376 bytes
SHA-256: da1c15986c4e3fc5c507e20d06b352010d19d0e181df07230cc7776135eff2c2