Malicious PDF — malware analysis report

Static analysis result for SHA-256 0fc406e172e87d60…

MALICIOUS

PDF

43.0 KB Created: 2021-04-29 05:28:51 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 0c5d78ad2f144576520f773579f6f081 SHA-1: 51857123820cef610b6d24b082373e8ff1249bbb SHA-256: 0fc406e172e87d60d61d67ad0a6e6d27706e13d8f94623d6c7bdc2c28b56fccb
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains multiple embedded URLs and heuristics indicating a social engineering lure. Specifically, the 'Browser extension / update installation lure' heuristic suggests the document directs users to install something, likely malicious, under the guise of viewing content. The presence of URLs related to game hacks and cheats further supports this, indicating an attempt to trick users into downloading a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9941

Heuristics 4

  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/triga-cheat-engine-roblox-game-hack PDF link annotation
    • https://www.tiendagrouppln.com/ckfinder/userfiles/files/case-clicker-cheats-roblox.pdfIn PDF document text
    • https://www.tiendagrouppln.com/ckfinder/userfiles/files/hack-peoples-account-roblox.pdfIn PDF document text
    • https://www.tiendagrouppln.com/ckfinder/userfiles/files/how-to-get-free-robux-easy-real.pdfIn PDF document text
    • https://www.tiendagrouppln.com/ckfinder/userfiles/files/how-to-access-the-studio-of-a-roblox-game-hack.pdfIn PDF document text
    • https://www.tiendagrouppln.com/ckfinder/userfiles/files/imperium-roblox-hack.pdfIn PDF document text
    • https://www.tiendagrouppln.com/ckfinder/userfiles/files/create-free-account-roblox.pdfIn PDF document text
    • https://www.tiendagrouppln.com/ckfinder/userfiles/files/free-games-to-download-like-roblox.pdfIn PDF document text
    • https://www.tiendagrouppln.com/ckfinder/userfiles/files/hack-roblox-vehicle-simulator-2021.pdfIn PDF document text
    • https://www.tiendagrouppln.com/ckfinder/userfiles/files/roblox-x-ray-hack-autohotkey.pdfIn PDF document text
    • https://www.tiendagrouppln.com/ckfinder/userfiles/files/roblox-sword-fight-on-the-heights-original-how-to-hack.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004449.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4449 28928 bytes
SHA-256: e82b575967f818529effa65d5dee366aa70b0db010784da2df61ba6e366625a3
font_01_sfnt_off0000853a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x853A 18688 bytes
SHA-256: 248ac51e0b28648304ac29cbabcd7bcb3228788048e154dbc009685ef376d935

Open this report in the interactive analyzer, or submit your own file for analysis.