Malicious PDF — malware analysis report

Static analysis result for SHA-256 0b9f8894937f6253…

MALICIOUS

PDF

42.4 KB Created: 2021-04-25 04:40:07 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 56e81994ab82082f534b63cff0d43403 SHA-1: 3a519f7d5e689f5fe53a1a85a71b675689444c16 SHA-256: 0b9f8894937f62536932938feb3ff278a2eb7281bdc8f8abcf30e24ab3d9ef35
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains numerous links that masquerade as game cheats or hacks, aiming to trick users into downloading malicious files. The ML classifier strongly indicated maliciousness, and the presence of external URIs and command execution indicators further supports this. The document body, though partially corrupted, contains references to game cheats and URLs, reinforcing the lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9941

Heuristics 4

  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/how-to-cheat-theme-park-tycoon-2-on-roblox-game-hack
    • https://elearning.mtsalhuda.sch.id/__statics/gudangsoal/files/boku-no-hero-academia-roblox-hack.pdf
    • https://elearning.mtsalhuda.sch.id/__statics/gudangsoal/files/roblox-grand-blox-auto-2-all-cmds-hack.pdf
    • https://elearning.mtsalhuda.sch.id/__statics/gudangsoal/files/free-robux-today-2021.pdf
    • https://elearning.mtsalhuda.sch.id/__statics/gudangsoal/files/roblox-paintball-hack-download.pdf
    • https://elearning.mtsalhuda.sch.id/__statics/gudangsoal/files/roblox-phantom-forces-hack-no-virus.pdf
    • https://elearning.mtsalhuda.sch.id/__statics/gudangsoal/files/roblox-cheating-story.pdf
    • https://elearning.mtsalhuda.sch.id/__statics/gudangsoal/files/uninstall-roblox-free.pdf
    • https://elearning.mtsalhuda.sch.id/__statics/gudangsoal/files/how-to-get-free-robux-on-roblox-2021-december.pdf
    • https://elearning.mtsalhuda.sch.id/__statics/gudangsoal/files/how-to-get-free-admin-on-any-roblox-game-2021.pdf
    • https://elearning.mtsalhuda.sch.id/__statics/gudangsoal/files/roblox-minecraft-games-free.pdf
    • https://elearning.mtsalhuda.sch.id/__statics/g
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off000043a6.bin
ec8075edccfaf049056d808e9d89fc1528f137751f74c2ba2654a36fe9b5f22d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x43A6 26844 bytes
font_01_sfnt_off00008114.bin
ff359955c519e911959fb1a283881bee58377ae8b7e884630d4c8ea29a135318		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8114 19332 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.