Malicious PDF — malware analysis report

Static analysis result for SHA-256 0b8b30fc99b556a4…

MALICIOUS

PDF

35.1 KB Created: 2021-06-27 21:34:30 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 67d4d586e0ece5c04eeb98f2a75587df SHA-1: 0c44fad0e264d86df1dfc3b1479642b30ab7bcb9 SHA-256: 0b8b30fc99b556a4d405de7a50b8d360931ed7be796001a35dca2a8f5d136a46
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1204.002 Malicious Link

The PDF document displays a fake CAPTCHA to trick users into clicking a malicious link, likely for downloading game cheats or currency. The ML classifier strongly flagged this PDF as malicious, and multiple heuristics indicate suspicious URL usage. The document body and extracted URLs suggest a lure related to 'Robux' and 'Coin Master' cheats.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 5

  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/get-100-robux-for-free-promo-code-game-hack
    • http://elearning.manulasem.sch.id/__statics/gudangsoal/files/robux-2021-free_GM431946152.pdf
    • http://elearning.manulasem.sch.id/__statics/gudangsoal/files/how-to-get-free-robux-without-downloading-any-apps_GM431946152.pdf
    • http://elearning.manulasem.sch.id/__statics/gudangsoal/files/coin-master-free-spins-link-app-download_GM406889139.pdf
    • http://elearning.manulasem.sch.id/__statics/gudangsoal/files/coin-master-hack-2021-download_GM406889139.pdf
    • http://elearning.manulasem.sch.id/__statics/gudangsoal/files/when-will-roblox-liberty-county-be-free_GM431946152.pdf
    • http://elearning.manulasem.sch.id/__statics/gudangsoal/files/coin-master-hack-apk-no-survey_GM406889139.pdf
    • http://elearning.manulasem.sch.id/__statics/gudangsoal/files/youtube-how-to-hack-robux_GM431946152.pdf
    • http://elearning.manulasem.sch.id/__statics/gudangsoal/files/100-free-tiktok-likes_GM835599320.pdf
    • http://elearning.manulasem.sch.id/__statics/gudangsoal/files/roblox-free-admin-game_GM431946152.pdf
    • http://elearning.manulasem.sch.id/__statics/gudangsoal/files/free-robux-survey_GM431946152.pdf
    • http://elearning.manulasem.sch.id/__statics/gudangsoal/files/free-model-roblox-games_GM431946152.pdf
    • http://elearning.manulasem.sch.id/__statics/gudangsoal/files/oprewards-com-login_GM431946152.pdf
    • http://elearning.manulasem.sch.id/__statics/gudangsoal/files/instantrobux_GM431946152.pdf
    • http://elearning.manulasem.sch.id/__statics/gudangsoal/files/coin-master-free-spins-2021_GM406889139.pdf
    • http://elearning.manulasem.sch.id/__statics/gudangsoal/files/robux-hack-no-human-verification-needed_GM431946152.pdf
    • http://elearning.manulasem.sch.id/__statics/gudangsoal/files/hack-work-at-a-pizza-place-roblox_GM431946152.pdf
    • http://elearning.manulasem.sch.id/__statics/gudangsoal/files/how-to-hack-coin-master-cheat-engine_GM406889139.pdf
    • http://elearning.manulasem.sch.id/__statics/gudangsoal/files/hacking-robux-com_GM431946152.pdf
    • http://elearning.manulasem.sch.id/__statics/gudangsoal/files/minecraft-complete-handbook_GM479516143.pdf
    • http://elearning.manulasem.sch.id/__statics/gudangsoal/files/httpswwwurcouponsdealcom202103coinmasterfreespinandcoinlinkshtml_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003130.bin
bd504a2812a91a80007f756f57cb38de3b49cbb3e8d03faf6e7660ff62996242		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3130 22024 bytes
font_01_sfnt_off00006226.bin
06f79878783cf2cb8bfd4489c22ce589900a347418438682e2066295d534e84e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6226 19688 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.