Malicious PDF — malware analysis report

Static analysis result for SHA-256 1ed13758b5567385…

MALICIOUS

PDF

44.3 KB Created: 2021-06-08 16:05:10 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 425fa98944d60b9244eb1de959fbf549 SHA-1: c91fbb1519daf0ccf9e070f3f491267c43890eba SHA-256: 1ed13758b55673856ede8af323d9f520c44642474fbaa02dcb006483f84b9f9a
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a lure related to 'free Robux' and directs the user to a URL that likely hosts a malicious payload. The presence of a browser installation lure heuristic further suggests a social engineering attempt to trick the user into downloading and executing further malware. No scripts were extracted from this sample, but the embedded URL and the nature of the lure strongly indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9865

Heuristics 4

  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.tw/app/431946152/do-you-get-free-robux-roblox-game-hack
    • https://www.mentalhealthnow.co.uk/uploads/files/files/coin-master-hack-2021_GM406889139.pdf
    • https://www.mentalhealthnow.co.uk/uploads/files/files/coinmaster_GM406889139.pdf
    • https://www.mentalhealthnow.co.uk/uploads/files/files/hack-coin-master-using-cheat-engine_GM406889139.pdf
    • https://www.mentalhealthnow.co.uk/uploads/files/files/coin-master-hack-app-for-ios_GM406889139.pdf
    • https://www.mentalhealthnow.co.uk/uploads/files/files/how-to-change-your-name-on-roblox-for-free_GM431946152.pdf
    • https://www.mentalhealthnow.co.uk/uploads/files/files/coin-master-village-4_GM406889139.pdf
    • https://www.mentalhealthnow.co.uk/uploads/files/files/claim-free-robux_GM431946152.pdf
    • https://www.mentalhealthnow.co.uk/uploads/files/files/google-coin-master-free-spins_GM406889139.pdf
    • https://www.mentalhealthnow.co.uk/uploads/files/files/how-to-get-free-robux-youtube_GM431946152.pdf
    • https://www.mentalhealthnow.co.uk/uploads/files/files/how-to-get-free-tiktok-followers_GM835599320.pdf
    • https://www.mentalhealthnow.co.uk/uploads/files/files/coin-master-hack-2021-android_GM406889139.pdf
    • https://www.mentalhealthnow.co.uk/uploads/files/files/free-coin-and-spin-in-coin-master_GM406889139.pdf
    • https://www.mentalhealthnow.co.uk/uploads/files/files/robuxlove-net-free-robux_GM431946152.pdf
    • https://www.mentalhealthnow.co.uk/uploads/files/files/coin-master-free-spins-link-no-verification-code_GM406889139.pdf
    • https://www.mentalhealthnow.co.uk/uploads/files/files/coin-master-daily-spins-and-coins_GM406889139.pdf
    • https://www.mentalhealthnow.co.uk/uploads/files/files/free-robux-images_GM431946152.pdf
    • https://www.mentalhealthnow.co.uk/uploads/files/files/coin-master-free-spins-link-blogspot-april-2021_GM406889139.pdf
    • https://www.mentalhealthnow.co.uk/uploads/files/files/coin-master-link-app_GM406889139.pdf
    • https://www.mentalhealthnow.co.uk/uploads/files/files/blox-land-free-robux_GM431946152.pdf
    • https://www.mentalhealthnow.co.uk/uploads/files/files/free-robux-no-verification-2021-ios_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00004f49.bin
fc76c33a474c47c3db428d055466972323e91a6e1e468f135dc83b435227d6d6		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4F49 25596 bytes
font_01_sfnt_off000089e4.bin
fa6bf7bd1c7c932300851699856435fa94a6c32dbc3b84423fa78b616cc08d52		 pdf-font-stream PDF embedded font (sfnt) at offset 0x89E4 18520 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.