Malicious PDF — malware analysis report

Static analysis result for SHA-256 09e764d9b0650327…

MALICIOUS

PDF

35.9 KB Created: 2021-06-25 15:03:08 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 9ba79163413665e15fa2f0551172e483 SHA-1: ad15e55f03c993c9ecdd45116ac7f19d8cc541fb SHA-256: 09e764d9b0650327abb40dc2dd50d6f850a4aa0cff3d84a078f7622712da2df9
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document contains multiple invisible links and visible calls-to-action that lead to external URLs, masquerading as free game-related downloads. The primary lure appears to be for 'Roblox Hack' and 'Coin Master' cheats, directing users to download files from suspicious domains. The ML classifier strongly indicated maliciousness, and the presence of multiple CAPTCHA-themed links further supports a malicious intent to trick users into downloading potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • Invisible PDF links to CAPTCHA-themed web lure high PDF_CAPTCHA_LINK_LURE
    PDF contains invisible clickable link annotations that point to a CAPTCHA/capcha-themed web path. This is a common phishing and ClickFix-style routing pattern: the PDF itself is inert, while the linked page performs the credential prompt or fake verification.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/roblox-hack-herunterladen-game-hack
    • https://elearning.tawakkal.sch.id/__statics/gudangsoal/files/free-robux-no-human-verification-no-survey-2021_GM431946152.pdf
    • https://elearning.tawakkal.sch.id/__statics/gudangsoal/files/free-links-for-coin-master-2021_GM406889139.pdf
    • https://www.elearning.tawakkal.sch.id/__statics/gudangsoal/files/how-to-hack-jailbreak-roblox-on-ipad_GM431946152.pdf
    • https://elearning.tawakkal.sch.id/__statics/gudangsoal/files/free-robux-come_GM431946152.pdf
    • https://elearning.tawakkal.sch.id/__statics/gudangsoal/files/coin-master-hack-spins-and-coins-unlimited-free_GM406889139.pdf
    • https://elearning.tawakkal.sch.id/__statics/gudangsoal/files/daily-free-spins-for-coin-master_GM406889139.pdf
    • https://elearning.tawakkal.sch.id/__statics/gudangsoal/files/free-roblox-hair-codes_GM431946152.pdf
    • https://elearning.tawakkal.sch.id/__statics/gudangsoal/files/roblox-jailbreak-hack-client-download-trackid-sp006-trackid-sp006_GM431946152.pdf
    • https://elearning.tawakkal.sch.id/__statics/gudangsoal/files/free-robux-and-tix-button-game_GM431946152.pdf
    • https://elearning.tawakkal.sch.id/__statics/gudangsoal/files/minecraft-pe-free-download-ios-no-jailbreak_GM479516143.pdf
    • https://elearning.tawakkal.sch.id/__statics/gudangsoal/files/coin-master-free-spin-and-coins-links_GM406889139.pdf
    • https://www.elearning.tawakkal.sch.id/__statics/gudangsoal/files/how-to-get-any-face-on-roblox-for-free-2021_GM431946152.pdf
    • https://elearning.tawakkal.sch.id/__statics/gudangsoal/files/free-limited-button-roblox_GM431946152.pdf
    • https://elearning.tawakkal.sch.id/__statics/gudangsoal/files/free-robux-no-captcha_GM431946152.pdf
    • https://elearning.tawakkal.sch.id/__statics/gudangsoal/files/how-to-get-free-robux-2021_GM431946152.pdf
    • https://elearning.tawakkal.sch.id/__statics/gudangsoal/files/free-exploiter-for-roblox_GM431946152.pdf
    • https://elearning.tawakkal.sch.id/__statics/gudangsoal/files/get-free-gold-cards-in-coin-master_GM406889139.pdf
    • https://www.elearning.tawakkal.sch.id/__statics/gudangsoal/files/free-minecraft-worlds_GM479516143.pdf
    • https://elearning.tawakkal.sch.id/__statics/gudangsoal/files/roblox-character-free_GM431946152.pdf
    • https://elearning.tawakkal.sch.id/__statics/gudangsoal/files/coin-master-free-shield_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003528.bin
3eafdd667f0e01a7db0356078b7e99bb44e877133f84fdf3a74f36e97e5f8cc3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3528 22552 bytes
font_01_sfnt_off00006734.bin
08e75716ef6f3c94dc3216b928c72c53d6912aac8fc972b08aaaa2f5b7531bb9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6734 19072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.