Malicious PDF — malware analysis report

Static analysis result for SHA-256 437558a00390f27d…

MALICIOUS

PDF

43.2 KB Created: 2021-05-12 02:24:45 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: d390744965a4daf6d204db975aaa7a3d SHA-1: d8f62ce9d7e805a1ce8df7796182b78b2deb463f SHA-256: 437558a00390f27dd9b94d0cd56416eba8eb06b8e23f4c77b83b762152f5a49a
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious Link

The document presents a fake CAPTCHA to lure the user into clicking a link, likely to download a malicious payload disguised as a game hack. The embedded URL points to a suspicious domain associated with game cheats. The ML classifier strongly indicates maliciousness, supporting the fake CAPTCHA and download lure heuristics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9969

Heuristics 4

  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/roblox-devil-game-hack
    • http://lichtdrukkerijwijchen.nl/images/change-roblox-username-free_GM431946152.pdf
    • http://lichtdrukkerijwijchen.nl/images/coin-master-hack-app-android-download_GM406889139.pdf
    • http://lichtdrukkerijwijchen.nl/images/coin-master-claim-spins_GM406889139.pdf
    • http://lichtdrukkerijwijchen.nl/images/coin-master-freebies_GM406889139.pdf
    • http://lichtdrukkerijwijchen.nl/images/easy-robux-today-com_GM431946152.pdf
    • http://lichtdrukkerijwijchen.nl/images/coin-master-for-pc-free-download_GM406889139.pdf
    • http://lichtdrukkerijwijchen.nl/images/coin-master-spin-link-2021_GM406889139.pdf
    • http://lichtdrukkerijwijchen.nl/images/how-to-get-free-spins-on-coin-master-facebook_GM406889139.pdf
    • http://lichtdrukkerijwijchen.nl/images/get-free-robux-without-human-verification_GM431946152.pdf
    • http://lichtdrukkerijwijchen.nl/images/coin-master-free-spins-link-today_GM406889139.pdf
    • http://lichtdrukkerijwijchen.nl/images/oprewards-free-robux_GM431946152.pdf
    • http://lichtdrukkerijwijchen.nl/images/coin-master-cheats-2021_GM406889139.pdf
    • http://lichtdrukkerijwijchen.nl/images/get-free-robux-today_GM431946152.pdf
    • http://lichtdrukkerijwijchen.nl/images/best-way-to-get-free-robux_GM431946152.pdf
    • http://lichtdrukkerijwijchen.nl/images/free-shields-coin-master_GM406889139.pdf
    • http://lichtdrukkerijwijchen.nl/images/coin-master-free-spins-instagram_GM406889139.pdf
    • http://lichtdrukkerijwijchen.nl/images/cheat-codes-for-coin-master_GM406889139.pdf
    • http://lichtdrukkerijwijchen.nl/images/www-claim-gg-to-earn-free-robux_GM431946152.pdf
    • http://lichtdrukkerijwijchen.nl/images/blogger-coin-master-free-spins_GM406889139.pdf
    • http://lichtdrukkerijwijchen.nl/images/roblox-promo-codes-free-robux_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004923.bin
1fc5890ca4cb8ae3cd9f3746c4223716dca4ee17a0914b9d710a27d81bf9e4e1		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4923 26808 bytes
font_01_sfnt_off000086b8.bin
228d9baa03aba80999033b04d18df637c8a6ae95d309aac9b6611bd5d5156bd2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x86B8 18184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.