Malicious PDF — malware analysis report

Static analysis result for SHA-256 0f8a6231248944ce…

MALICIOUS

PDF

39.8 KB Created: 2021-04-29 01:12:37 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: b0b847081b2549c6317f12d3d56e22d4 SHA-1: cec23c45988e7a9174411c00d9b2bfae4f722544 SHA-256: 0f8a6231248944ce5ffee69590586c40b55273e77f031a5d7854cb1309191dba
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF document contains multiple embedded URLs, many of which are related to game hacking and exploits. The presence of a 'password-protected archive' lure heuristic suggests that the document is designed to trick users into downloading and potentially extracting a malicious payload. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9941

Heuristics 4

  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/how-to-hack-in-roblox-got-talent-game-hack PDF link annotation
    • https://lib-stie.yai.ac.id/repository/how-to-hack-robux-easy.pdfIn PDF document text
    • https://lib-stie.yai.ac.id/repository/roblox-hack-me-com.pdfIn PDF document text
    • https://lib-stie.yai.ac.id/repository/sean-cheat-roblox.pdfIn PDF document text
    • https://lib-stie.yai.ac.id/repository/how-to-hack-roblox-assassin-2021.pdfIn PDF document text
    • https://lib-stie.yai.ac.id/repository/cheat-engine-682-roblox.pdfIn PDF document text
    • https://lib-stie.yai.ac.id/repository/stigma-roblox-hack-download.pdfIn PDF document text
    • https://lib-stie.yai.ac.id/repository/how-to-hack-all-roblox-games-pc.pdfIn PDF document text
    • https://lib-stie.yai.ac.id/repository/free-gfx-render-roblox.pdfIn PDF document text
    • https://lib-stie.yai.ac.id/repository/get-free-robux-gamepasses-pastebin.pdfIn PDF document text
    • https://lib-stie.yai.ac.id/repository/free-robux-hacker-us.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off0000409b.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x409B 25172 bytes
SHA-256: 9db1baddfc52102c53d3f298dd11c535ca2bc1b8f4657c2abed340b731625697
font_01_sfnt_off00007912.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7912 18452 bytes
SHA-256: df67beaa9ada278b3de2a6736212f3c9df0495ceeea0afabe5bd17daff3bfc7c