Malicious PDF — malware analysis report

Static analysis result for SHA-256 0a0029050d1298fe…

MALICIOUS

PDF

38.8 KB Created: 2021-06-02 05:55:33 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-15
MD5: adb947f2d4d93b170f8412c83f82be34 SHA-1: 478672031811d95d2a521322dea36184f720e8df SHA-256: 0a0029050d1298fe68a39b1d6dc581b3f0ea927eb237ecfc6bc84ddfa0ddf153
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell T1203 Exploitation for Client Execution

The PDF contains lures for installing browser extensions and executing commands via the clipboard, suggesting a social engineering attack to compromise the user's system. The embedded URL points to a site offering 'Free Robux No Human Verification', a common lure for malware distribution. While no scripts were extracted, the heuristics strongly indicate an attempt to trick the user into downloading and executing malicious content or commands.

Machine Learning

  • Nyx PDF Classifier clean score 0.0353

Heuristics 5

  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/free-robux-no-human-verification-game-hack PDF link annotation
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off000038a0.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x38A0 25972 bytes
SHA-256: 512aa5cb17f56612b0ecab18b4c7c3306e9969e43f310d9a21909da542b67098
font_01_sfnt_off0000743a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x743A 18860 bytes
SHA-256: 7bf6b254896799c3550cbaf8339a45bd8c79022df116fd793fc899e49cde55bc

Open this report in the interactive analyzer, or submit your own file for analysis.