Malicious PDF — malware analysis report

Static analysis result for SHA-256 527c6ef040a669b8…

MALICIOUS

PDF

46.5 KB Created: 2021-05-30 20:52:01 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 7e95b71dc5578f3bb0e140ebc9d157bd SHA-1: 1a226196400cdd3baa21a487f63ef4c5d4c72d54 SHA-256: 527c6ef040a669b850ed0d81e7d9ef54ab89fe8bb7b4aa924ce1dec7050df99a
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The document contains lures for free game items and uses MFA/one-time-code harvesting heuristics, indicating a phishing attempt. The embedded URL points to a suspicious domain likely hosting a malicious payload or phishing page. While no scripts were explicitly extracted, the PDF structure and heuristics suggest it's designed to exploit user interest in free items to compromise accounts or deliver further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9418

Heuristics 4

  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/free-robux-easy-game-hack
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/blox-fish-free-robux_GM431946152.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/minecraft-windows-10-edition-free_GM479516143.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/rbx-free-robux_GM431946152.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/how-to-get-free-robux-no-human-verification-2021_GM431946152.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/free-minecraft-codes_GM479516143.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/free-spin-in-coin-master_GM406889139.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/how-do-you-get-minecraft-for-free_GM479516143.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/minecraft-pocket-edition-free_GM479516143.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/minecraft-fly-hack_GM479516143.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/robux-hack-2021_GM431946152.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/minecraft-gun-games-free_GM479516143.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/free-robux-no-human-verification-or-survey-or-download-2021_GM431946152.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/how-to-free-robux_GM431946152.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/how-to-hack-roblox-to-get-robux_GM431946152.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/how-to-download-minecraft-for-free-on-mac_GM479516143.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/free-tiktok-followers-no-human-verification-or-survey_GM835599320.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/free-spins-coin-master-2021_GM406889139.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/roblox-hack-2021_GM431946152.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/free-robux-with-no-verification_GM431946152.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/free-coins-for-coin-master_GM406889139.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/minecraft-windows-10-hacks_GM479516143.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/how-to-get-free-robux-easy_GM431946152.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/minecraft-free-no-download_GM479516143.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/free-tiktok-followers-and-likes_GM835599320.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/free-robux-hack-generator_GM431946152.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/how-to-get-verified-on-tiktok-for-free_GM835599320.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/coin-master-hack-without-verification-2021_GM406889139.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/coin-master-free-spins-link-2021_GM406889139.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/haktuts-coin-master-free-spins_GM406889139.pdf
    • https://www.racoh.edu.gh/wp-content/uploads/fsqm-files/hacker-minecraft-song_GM479516143.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00005708.bin
ec04323dba3f77fa39fb2c139b92eae7b2b42640695ae4ba4ca5d152ea8b0944		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5708 25664 bytes
font_01_sfnt_off00009292.bin
93fb4fe90c413bceeeea5373daaca89ae05c83417e443247d622c1bd09cfd34e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9292 18420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.