Malicious PDF — malware analysis report

Static analysis result for SHA-256 131d61ab6814f776…

MALICIOUS

PDF

49.4 KB Created: 2021-06-10 23:45:23 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-29
MD5: 19ced484ab6780f100efc2bd04bed9ac SHA-1: 5136e615cef2a5288dfa449c01c122b04c61da7b SHA-256: 131d61ab6814f776a9414900c094b99396c0266faf3178cd349824c3d1ab1506
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to a lure about hacking Roblox accounts. The ML classifier also flagged the document as malicious with high confidence. The document body and embedded URLs reinforce the theme of exploiting user interest in game hacks and free items, likely to redirect to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9796

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.tw/app/431946152/how-do-you-hack-someone In PDF document text
    • https://library.uigm.ac.id/repository/how-to-hack-roblox-to-get-robux_GM431946152.pdfIn PDF document text
    • https://library.uigm.ac.id/repository/hackear-coin-master_GM406889139.pdfIn PDF document text
    • https://library.uigm.ac.id/repository/dolphin-hacks-roblox_GM431946152.pdfIn PDF document text
    • https://library.uigm.ac.id/repository/claim-free-robux_GM431946152.pdfIn PDF document text
    • https://library.uigm.ac.id/repository/60-free-spins-on-coin-master_GM406889139.pdfIn PDF document text
    • https://library.uigm.ac.id/repository/minecraft-skins-download-free_GM479516143.pdfIn PDF document text
    • https://library.uigm.ac.id/repository/free-robux-quiz_GM431946152.pdfIn PDF document text
    • https://library.uigm.ac.id/repository/free-spin-coin-master-ios_GM406889139.pdfIn PDF document text
    • https://library.uigm.ac.id/repository/free-minecraft-accounts-reddit_GM479516143.pdfIn PDF document text
    • https://library.uigm.ac.id/repository/minecraft-download-free-download_GM479516143.pdfIn PDF document text
    • https://library.uigm.ac.id/repository/roblox-accounts-free-2021_GM431946152.pdfIn PDF document text
    • https://library.uigm.ac.id/repository/coin-master-15-free-spin-link-of-last-5-days_GM406889139.pdfIn PDF document text
    • https://library.uigm.ac.id/repository/promo-codes-to-get-free-robux_GM431946152.pdfIn PDF document text
    • https://library.uigm.ac.id/repository/free-spins-coins-coin-master_GM406889139.pdfIn PDF document text
    • https://library.uigm.ac.id/repository/free-roblox-outfits-2021_GM431946152.pdfIn PDF document text
    • https://library.uigm.ac.id/repository/how-to-get-free-robux-without-verification-or-surveys_GM431946152.pdfIn PDF document text
    • https://library.uigm.ac.id/repository/omnija-roblox-cheat_GM431946152.pdfIn PDF document text
    • https://library.uigm.ac.id/repository/how-to-hack-roblox-2021_GM431946152.pdfIn PDF document text
    • https://library.uigm.ac.id/repository/esp-hacks-roblox_GM431946152.pdfIn PDF document text
    • https://library.uigm.ac.id/repository/robux-redeem_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00004db1.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4DB1 27868 bytes
SHA-256: 1dc5eef7fbd4da8b3cb1aaf1a81fa39d76aa331916438ba05ec594cf5aabfc1d
font_01_sfnt_off00008e65.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8E65 5696 bytes
SHA-256: 450e3ee45915afe13702bf1d587eb8b9ad88a8d2113419ac9f2fd116a828e139
font_02_sfnt_off00009b76.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9B76 19244 bytes
SHA-256: 6e68d396de943cb3f5a8da6cc08ddbb6396c0a8c2aa0586a5169f33932ad1dc1