PDF malware analysis — malicious · 161361196a3de393

MALICIOUS

PDF

32.9 KB Created: 2021-07-20 11:20:22 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27

MD5: 821922272b4c6484c25206056f99bbbf SHA-1: 53d7b23790668737ffae9bcc50ab12ad5381fd76 SHA-256: 161361196a3de3933df8a1846bbfe085b14506c537a5d4bf667ef6f1c35bb3d8

82 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF document impersonates Microsoft to lure users into clicking a link, likely for credential phishing or to download a second-stage payload. The primary malicious URL identified is http://netcdn.tw/app/431946152/how-to-hack-people-on-roblox-game-hack. While no scripts were explicitly extracted, the PDF structure and embedded URLs suggest an attempt to exploit user interest in game-related content for malicious purposes.

Machine Learning

Nyx PDF Classifier malicious score 0.9900

Heuristics 4

Brand-impersonation credential phishing lure high SE_BRAND_CREDENTIAL_PHISH

Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: call-to-action link host does not match the impersonated brand: http://netcdn.tw/app/431946152/how-to-hack-people-on-roblox-game-hack.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://netcdn.tw/app/431946152/how-to-hack-people-on-roblox-game-hack PDF link annotation
- https://elearning.minkotablitar.sch.id/__statics/gudangsoal/files/minecraft-free-download-ios_GM479516143.pdfIn PDF document text
- https://elearning.minkotablitar.sch.id/__statics/gudangsoal/files/free-robux-websites-that-actually-work_GM431946152.pdfIn PDF document text
- https://elearning.minkotablitar.sch.id/__statics/gudangsoal/files/free-robux-generator-no-verification-2021_GM431946152.pdfIn PDF document text
- https://elearning.minkotablitar.sch.id/__statics/gudangsoal/files/coin-master-free-spin-today_GM406889139.pdfIn PDF document text
- https://elearning.minkotablitar.sch.id/__statics/gudangsoal/files/minecraft-hack-mod_GM479516143.pdfIn PDF document text
- https://elearning.minkotablitar.sch.id/__statics/gudangsoal/files/minecraft-games-free-download_GM479516143.pdfIn PDF document text
- https://elearning.minkotablitar.sch.id/__statics/gudangsoal/files/tiktok-likes-for-free_GM835599320.pdfIn PDF document text
- https://elearning.minkotablitar.sch.id/__statics/gudangsoal/files/get-tiktok-followers-free_GM835599320.pdfIn PDF document text
- https://elearning.minkotablitar.sch.id/__statics/gudangsoal/files/free-robux-hack-2021_GM431946152.pdfIn PDF document text
- https://elearning.minkotablitar.sch.id/__statics/gudangsoal/files/minecraft-hacked-client_GM479516143.pdfIn PDF document text
- http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00002b53.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x2B53	22292 bytes
SHA-256: `46e0095afd19fab1265f72adcc83df3e88d7da5e173ddb9fdc0de8fc0e0fb940`
`font_01_sfnt_off00005c9e.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5C9E	18864 bytes
SHA-256: `3bb8a2dae3a1b4d991366e88f95c9aba70b3d869c0580506886643149285b4b1`

Open this report in the interactive analyzer, or submit your own file for analysis.