Malicious PDF — malware analysis report

Static analysis result for SHA-256 0895e17eed851e30…

MALICIOUS

PDF

41.9 KB Created: 2021-05-23 08:14:11 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: 5178416b53ea0595ea01ea9e8529891b SHA-1: 1dfaaece1f7e254669abac2a37ac0269a3d6c5e5 SHA-256: 0895e17eed851e30373d489daa569ff7f7998d1dad8debf2a185bf965ceffabb
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains embedded JavaScript and presents a fake CAPTCHA to trick the user into clicking a download link. The document body explicitly mentions "How To Hack Someone's Account On Roblox" and "CLICK HERE TO ACCESS ROBLOX GENERATOR", reinforcing the lure. The embedded JavaScript likely facilitates the download of a second-stage payload from one of the listed URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8120

Heuristics 5

  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/how-to-hack-someone PDF link annotation
    • http://www.rongoldmanlaw.com/system/js/back/ckfinder/userfiles/files/blox-world-free-robux_GM431946152.pdfIn PDF document text
    • http://www.rongoldmanlaw.com/system/js/back/ckfinder/userfiles/files/minecraft-hacks-xbox_GM479516143.pdfIn PDF document text
    • http://www.rongoldmanlaw.com/system/js/back/ckfinder/userfiles/files/roblox-verification_GM431946152.pdfIn PDF document text
    • http://www.rongoldmanlaw.com/system/js/back/ckfinder/userfiles/files/coin-master-free-stars_GM406889139.pdfIn PDF document text
    • http://www.rongoldmanlaw.com/system/js/back/ckfinder/userfiles/files/is-roblox-hacked_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000033d5.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x33D5 27824 bytes
SHA-256: a23349fad4dbca6c22ac6c3e9d011eeff30002d536ce0ecaacc37cf06ebed97a
font_01_sfnt_off000073d2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x73D2 3884 bytes
SHA-256: 40b61f8938bd710dc29dc58ba3fde91c245a6a69596ec569b4d27c769ca417cf
font_02_sfnt_off0000807a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x807A 18912 bytes
SHA-256: 995056b981027bfba3f97be2499ebace8b386febdb07856c531761fbe005e83e