Malicious PDF — malware analysis report

Static analysis result for SHA-256 5164357da63eedbb…

MALICIOUS

PDF

37.5 KB Created: 2021-05-24 03:44:41 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 489d87c6a0ee70f130c4c5ecf49d7dfa SHA-1: f9ec7ba05d5c9e2bee7683e4ad408fde6e9876d7 SHA-256: 5164357da63eedbb0d44458a0590ad9836dc04997d48e8aa7416056f9d095858
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains multiple embedded URLs and a visual call-to-action button, strongly suggesting a phishing or scam attempt. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' indicates the document may be instructing the user to decrypt a payload, which is a common tactic for malware delivery. The ML classifier also flagged this PDF as malicious with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9447

Heuristics 4

  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/rbxfree-com-free-robux-game-hack
    • https://www.fhccu.com/images/free-robux-scams_GM431946152.pdf
    • https://www.fhccu.com/images/roblox-rape-hack_GM431946152.pdf
    • https://www.fhccu.com/images/download-minecraft-java-edition-free_GM479516143.pdf
    • https://www.fhccu.com/images/hacks-for-roblox-jailbreak_GM431946152.pdf
    • https://www.fhccu.com/images/free-robux-survey_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003325.bin
c1cf5e975aaf8bcf125d4ab0a83cbdee3577d414117ca2c176ab4bc099378960		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3325 27776 bytes
font_01_sfnt_off00007168.bin
3458f47f0b0e4c5d178391a23bbf01d917f000ba7933fbc297d15d2e5240f022		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7168 18276 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.