Malicious PDF — malware analysis report

Static analysis result for SHA-256 466aefd0fb3bedf3…

MALICIOUS

PDF

251.8 KB Created: 2021-07-09 07:38:46 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 3686ebfc196e3513d85c4e1706b18337 SHA-1: ac9e170eb94ca9b0660309157f38ec09720bdda5 SHA-256: 466aefd0fb3bedf3c77e5f0e4e1eca9b2ae06d390bf0a35a261fee5a42c967c2
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF document employs a combination of lures, including a fake CAPTCHA, MFA prompt, and advance-fee scam, to deceive the user. The embedded URL http://netcdn.tw/app/1330123889/pubg-uc-10-game-hack likely serves as a malicious download link or redirects to a credential harvesting page. The document's structure and content strongly suggest an attempt to trick users into executing further malicious actions or divulging sensitive information.

Machine Learning

  • Nyx PDF Classifier clean score 0.0098

Heuristics 7

  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/1330123889/pubg-uc-10-game-hack
    • https://elearning.manlimapuluhkota.sch.id/__statics/gudangsoal/files/free-modded-minecraft-server_GM479516143.pdf
    • https://elearning.manlimapuluhkota.sch.id/__statics/gudangsoal/files/how-to-get-any-roblox-gamepass-for-free-2021_GM431946152.pdf
    • https://elearning.manlimapuluhkota.sch.id/__statics/gudangsoal/files/how-to-get-free-roblox-money_GM431946152.pdf
    • https://elearning.manlimapuluhkota.sch.id/__statics/gudangsoal/files/if-roblox-made-everything-free_GM431946152.pdf
    • https://elearning.manlimapuluhkota.sch.id/__statics/gudangsoal/files/create-roblox-cheat-script_GM431946152.pdf
    • https://elearning.manlimapuluhkota.sch.id/__statics/gudangsoal/files/roblox-2021-hacks-catalogo-free_GM431946152.pdf
    • https://elearning.manlimapuluhkota.sch.id/__statics/gudangsoal/files/claim-free-robux_GM431946152.pdf
    • https://elearning.manlimapuluhkota.sch.id/__statics/gudangsoal/files/wizard-hacks_GM479516143.pdf
    • https://elearning.manlimapuluhkota.sch.id/__statics/gudangsoal/files/sites-to-get-free-robux_GM431946152.pdf
    • https://elearning.manlimapuluhkota.sch.id/__statics/gudangsoal/files/hack-to-protect-village-on-coin-master_GM406889139.pdf
    • https://elearning.manlimapuluhkota.sch.id/__statics/gudangsoal/files/coin-master-hack-apk-2021-download_GM406889139.pdf
    • https://elearning.manlimapuluhkota.sch.id/__statics/gudangsoal/files/redline-roblox-cheat-download-give-me-the-fucking-cheat-rn_GM431946152.pdf
    • https://elearning.manlimapuluhkota.sch.id/__statics/gudangsoal/files/free-roblox-gifts_GM431946152.pdf
    • https://elearning.manlimapuluhkota.sch.id/__statics/gudangsoal/files/free-money-and-spins-coin-master_GM406889139.pdf
    • https://elearning.manlimapuluhkota.sch.id/__statics/gudangsoal/files/free-robux-hack-no-human-verification-or-survey_GM431946152.pdf
    • https://elearning.manlimapuluhkota.sch.id/__statics/gudangsoal/files/roblox-how-to-hack-accoutns_GM431946152.pdf
    • https://elearning.manlimapuluhkota.sch.id/__statics/gudangsoal/files/minecraft-account-hacked_GM479516143.pdf
    • https://elearning.manlimapuluhkota.sch.id/__statics/gudangsoal/files/minecraft-free-download-ios_GM479516143.pdf
    • https://elearning.manlimapuluhkota.sch.id/__statics/gudangsoal/files/robux-boost_GM431946152.pdf
    • https://elearning.manlimapuluhkota.sch.id/__statics/gudangsoal/files/free-robux-without-human-verification-2021_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_024_off00038225.bin
030ee32eb8a9090e78a631666078ca12dced026261cb81e36bc8e24fcdfae2e2		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x38225 26180 bytes
font_01_sfnt_off0003bf94.bin
6694d3952cf45525c01fa1d274a2019460829626fd655f89a4fc907f73693da1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3BF94 18404 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.