Malicious PDF — malware analysis report

Static analysis result for SHA-256 4a5098808e9901a9…

MALICIOUS

PDF

56.5 KB Created: 2021-05-19 02:14:04 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 9280eb4b7ebec5e12d03c85f7c25731e SHA-1: 2c3aa25c9f16174ad83002aefd7514ad95cb0c9b SHA-256: 4a5098808e9901a9e66c42617c60a9a12871500bd73113af9ab6e2fd52578ed3
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link T1553.005 Security Software Installation

The PDF document contains multiple embedded URLs and a document body that explicitly mentions "Hacks For Roblox Jailbreak" and provides a URL for downloading such content. The heuristic firings indicate the presence of external URIs and a high ML confidence score for maliciousness. Crucially, the document also contains instructions to disable security software, a strong indicator of malicious intent to facilitate further compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9515

Heuristics 4

  • Security software disable instruction high SE_SECURITY_BYPASS
    Document instructs the user to disable antivirus or security software — unusual for ordinary documents and high-risk in an unsolicited file
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/hacks-for-roblox-jailbreak-game-hack
    • https://mountainholidaytreks.com/userfiles/files/actual-free-robux_GM431946152.pdf
    • https://mountainholidaytreks.com/userfiles/files/hack-para-coin-master-singapore_GM406889139.pdf
    • https://mountainholidaytreks.com/userfiles/files/free-coins-coin-master-2021_GM406889139.pdf
    • https://mountainholidaytreks.com/userfiles/files/robux-free-online_GM431946152.pdf
    • https://mountainholidaytreks.com/userfiles/files/free-minecraft-gift-card_GM479516143.pdf
    • https://mountainholidaytreks.com/userfiles/files/free-100-robux_GM431946152.pdf
    • https://mountainholidaytreks.com/userfiles/files/free-spins-on-coin-master-hack_GM406889139.pdf
    • https://mountainholidaytreks.com/userfiles/files/get-gold-coin-master-village-hack_GM406889139.pdf
    • https://mountainholidaytreks.com/userfiles/files/coin-master-hack-without-verification-code_GM406889139.pdf
    • https://mountainholidaytreks.com/userfiles/files/rich-free-roblox-accounts_GM431946152.pdf
    • https://mountainholidaytreks.com/userfiles/files/coin-master-free-spin-realme-products_GM406889139.pdf
    • https://mountainholidaytreks.com/userfiles/files/how-to-get-free-shields-on-coin-master_GM406889139.pdf
    • https://mountainholidaytreks.com/userfiles/files/roblox-hack-ios_GM431946152.pdf
    • https://mountainholidaytreks.com/userfiles/files/free-400-spins-coin-master_GM406889139.pdf
    • https://mountainholidaytreks.com/userfiles/files/download-hack-coin-master_GM406889139.pdf
    • https://mountainholidaytreks.com/userfiles/files/free-daily-spins-from-coin-master_GM406889139.pdf
    • https://mountainholidaytreks.com/userfiles/files/free-script-executor-roblox_GM431946152.pdf
    • https://mountainholidaytreks.com/userfiles/files/minecraft-server-hacks_GM479516143.pdf
    • https://mountainholidaytreks.com/userfiles/files/coin-master-hack-version-apk-download_GM406889139.pdf
    • https://mountainholidaytreks.com/userfiles/files/where-can-i-get-free-spins-for-coin-master_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004d02.bin
acedc3ec961b09496b318d53e8a97b0239cb03139c4475d935c7d547280716c4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4D02 36864 bytes
font_01_sfnt_off00009f2f.bin
7ebedd6b182173c8e55836cb0d114b2c4a0ac85c96a51b9f0706c935f8415fea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9F2F 8252 bytes
font_02_sfnt_off0000ba43.bin
0c6da94061aa06f3897ec4e3cf893835e909886797588b4f947a24dee870a8ce		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBA43 18632 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.