Malicious PDF — malware analysis report

Static analysis result for SHA-256 158f2cd0f820ee6a…

MALICIOUS

PDF

46.2 KB Created: 2021-05-11 00:37:46 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-13
MD5: 2207d02deffeb3719ced038ac85cad7b SHA-1: 30e2ae536823ad40d009bce9e3609704e8f04c21 SHA-256: 158f2cd0f820ee6a8637c89b2eceefff49943f52182f8889acccea1d1f6e4287
72 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a lure for 'More Robux' and an embedded link to a URL that promises a 'game hack'. The heuristic 'SE_SECRET_RECOVERY_LURE' indicates the document may also attempt to solicit sensitive information, such as passwords or private keys, under the guise of account recovery or generator access. The presence of an external URI and the nature of the lure suggest an attempt to trick the user into downloading potentially malicious software or divulging credentials.

Machine Learning

  • Nyx PDF Classifier clean score 0.0126

Heuristics 4

  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/get-more-robux-game-hack PDF link annotation
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00003958.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3958 27512 bytes
SHA-256: 31fd66202bc63941347324e16443bd20c0e2a8d603afe30592a96c135c1fc71d
font_01_sfnt_off00007ac8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7AC8 7628 bytes
SHA-256: 31013ff57f1b96697f6ce69f2e0594809a4c2c508b065a12a44d3cc7d29a2999
font_02_sfnt_off000093d6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x93D6 18152 bytes
SHA-256: 3f0afb5031a6524980f5b4f14d61315d560e84a079a8a334c40e6e2be07f7597

Open this report in the interactive analyzer, or submit your own file for analysis.