Malicious PDF — malware analysis report

Static analysis result for SHA-256 2b2854ed502d4688…

MALICIOUS

PDF

42.8 KB Created: 2021-05-11 03:37:51 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: c0e3a161a9fe4c1bf7f02c1a1caa7f2c SHA-1: aa6cfdc179c85092a7ba73db09eb1d262b4d072a SHA-256: 2b2854ed502d468823523d71b761c43adea29ad81a277f8837320722a30f2602
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The document presents itself as a fake CAPTCHA or verification prompt, likely to trick users into clicking malicious links. The embedded URLs, such as 'https://netcdn.xyz/app/431946152/roblox-rewards-robux-game-hack', suggest a lure for game-related exploits or scams. While no scripts were directly extracted, the PDF structure and heuristics indicate it's designed to lead users to external malicious content, potentially exploiting vulnerabilities or delivering further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9971

Heuristics 4

  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/roblox-rewards-robux-game-hack
    • https://e-learningmin10jakarta.com/__statics/gudangsoal/files/coin-master-free-online-game_GM406889139.pdf
    • https://e-learningmin10jakarta.com/__statics/gudangsoal/files/get-free-spins-coin-master-2021_GM406889139.pdf
    • https://www.e-learningmin10jakarta.com/__statics/gudangsoal/files/minecraft-dungeons-free-download_GM479516143.pdf
    • https://www.e-learningmin10jakarta.com/__statics/gudangsoal/files/girl-roblox-avatar_GM431946152.pdf
    • https://e-learningmin10jakarta.com/__statics/gudangsoal/files/coin-master-hack-app-ios_GM406889139.pdf
    • https://www.e-learningmin10jakarta.com/__statics/gudangsoal/files/hack-coin-master-apk-33_GM406889139.pdf
    • https://www.e-learningmin10jakarta.com/__statics/gudangsoal/files/coinmaster-free-cards_GM406889139.pdf
    • https://e-learningmin10jakarta.com/__statics/gudangsoal/files/claim-free-spins-coin-master_GM406889139.pdf
    • https://www.e-learningmin10jakarta.com/__statics/gudangsoal/files/hack-coin-pro-coin-master_GM406889139.pdf
    • https://e-learningmin10jakarta.com/__statics/gudangsoal/files/master-coin-free-spin_GM406889139.pdf
    • https://e-learningmin10jakarta.com/__statics/gudangsoal/files/how-to-hack-coin-master-apkmody_GM406889139.pdf
    • https://e-learningmin10jakarta.com/__statics/gudangsoal/files/how-to-get-free-robux-on-mobile_GM431946152.pdf
    • https://e-learningmin10jakarta.com/__statics/gudangsoal/files/how-to-get-free-robux-no-verification-2021_GM431946152.pdf
    • https://e-learningmin10jakarta.com/__statics/gudangsoal/files/free-roblox-hack_GM431946152.pdf
    • https://www.e-learningmin10jakarta.com/__statics/gudangsoal/files/minecraft-mac-free_GM479516143.pdf
    • https://www.e-learningmin10jakarta.com/__statics/gudangsoal/files/can-i-download-minecraft-for-free_GM479516143.pdf
    • https://e-learningmin10jakarta.com/__statics/gudangsoal/files/coin-master-free-gifts_GM406889139.pdf
    • https://e-learningmin10jakarta.com/__statics/gudangsoal/files/free-400-spins-coin-master_GM406889139.pdf
    • https://www.e-learningmin10jakarta.com/__statics/gudangsoal/files/free-robux-games-that-actually-work-2021_GM431946152.pdf
    • https://e-learningmin10jakarta.com/__statics/gudangsoal/files/get-free-robux-generator_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000049b0.bin
49bf63127daf64b8ba39d17680e73ecaed57037a9560c27be94d83757d9385dd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x49B0 26072 bytes
font_01_sfnt_off00008444.bin
f54db345ef6a05ddcc33e39b82b6da332f4d0f4ab5c2582a6db6f23f2eda51df		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8444 18492 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.