Malicious PDF — malware analysis report

Static analysis result for SHA-256 4e106ad7bfd91ac9…

MALICIOUS

PDF

35.1 KB Created: 2021-07-02 01:55:05 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 6034e978528754d6ae7566375c7eda40 SHA-1: 8898e4ae6c1b800591776e666fff699e6c4ce40a SHA-256: 4e106ad7bfd91ac9a4aa350268e577e681399dc7e1bec626fd174fa4bfeeac36
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains numerous links and references to game hacks and cheats for popular games like Roblox and Coin Master, indicating a lure for users to download potentially malicious content. The presence of external URIs and the ML classifier's high confidence score strongly suggest malicious intent. While no scripts were explicitly extracted, the document's structure and embedded URLs point towards a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/roblox-free-no-login-game-hack
    • http://balibetonmandiri.com/new/public/ckfinder/userfiles/files/minecraft-hacks-list_GM479516143.pdf
    • http://balibetonmandiri.com/new/public/ckfinder/userfiles/files/prisonbreak16-hack-script-roblox_GM431946152.pdf
    • http://balibetonmandiri.com/new/public/ckfinder/userfiles/files/roblox-free-card-codes-december-2021_GM431946152.pdf
    • http://balibetonmandiri.com/new/public/ckfinder/userfiles/files/free-spins-and-coins-coin-master-2021-link_GM406889139.pdf
    • http://balibetonmandiri.com/new/public/ckfinder/userfiles/files/coin-master-free-blogspot_GM406889139.pdf
    • http://balibetonmandiri.com/new/public/ckfinder/userfiles/files/roblox-ninja-animation-free_GM431946152.pdf
    • http://balibetonmandiri.com/new/public/ckfinder/userfiles/files/free-robux-group-payouts_GM431946152.pdf
    • http://balibetonmandiri.com/new/public/ckfinder/userfiles/files/hack-game-plus-com-coin-master_GM406889139.pdf
    • http://balibetonmandiri.com/new/public/ckfinder/userfiles/files/roblox-cheats-deutsch-pc_GM431946152.pdf
    • http://balibetonmandiri.com/new/public/ckfinder/userfiles/files/bloxland-earn-free-robux_GM431946152.pdf
    • http://balibetonmandiri.com/new/public/ckfinder/userfiles/files/coin-master-free-spins-link-2021-no-verification-deutsch_GM406889139.pdf
    • http://balibetonmandiri.com/new/public/ckfinder/userfiles/files/get-400-robux-for-free_GM431946152.pdf
    • http://balibetonmandiri.com/new/public/ckfinder/userfiles/files/daily-free-spins-coin-master_GM406889139.pdf
    • http://balibetonmandiri.com/new/public/ckfinder/userfiles/files/commande-cmd-hack-roblox_GM431946152.pdf
    • http://balibetonmandiri.com/new/public/ckfinder/userfiles/files/how-to-hack-roblox-passwords_GM431946152.pdf
    • http://balibetonmandiri.com/new/public/ckfinder/userfiles/files/roblox-sell-t-shirt-for-free_GM431946152.pdf
    • http://balibetonmandiri.com/new/public/ckfinder/userfiles/files/coin-master-free-spins-for-today_GM406889139.pdf
    • http://balibetonmandiri.com/new/public/ckfinder/userfiles/files/best-minecraft-hacked-client_GM479516143.pdf
    • http://balibetonmandiri.com/new/public/ckfinder/userfiles/files/youtube-roblox-free-tops_GM431946152.pdf
    • http://balibetonmandiri.com/new/public/ckfinder/userfiles/files/free-followers-on-tiktok_GM835599320.pdf
    • http://balibetonmandiri.com/
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000331a.bin
bb702fd1ecd4319733c266dd1dbb10c6fd45a13e5d42b8588800420ab05b83c6		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x331A 22384 bytes
font_01_sfnt_off00006502.bin
eb80850c5abca80cfd8e7848d0ea8f12d93e406a67952de567f15377f64a1afe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6502 18768 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.