Malicious PDF — malware analysis report

Static analysis result for SHA-256 53e8643a398332b4…

MALICIOUS

PDF

40.2 KB Created: 2021-05-20 13:09:17 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 97a1bda92a3dc21e1535335d3ef0f94c SHA-1: a8af7a6e6f42d5e834c45ff4dcd83b46391c492b SHA-256: 53e8643a398332b4f80b7174793aa36c67b0ec6d36c1c72292bc40616e1d22fa
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains an embedded URI pointing to a URL that is likely a lure for downloading a malicious file, disguised as a game hack. The document also contains instructions to disable security software, which is a strong indicator of malicious intent. The ML classifier also flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7877

Heuristics 4

  • Security software disable instruction high SE_SECURITY_BYPASS
    Document instructs the user to disable antivirus or security software — unusual for ordinary documents and high-risk in an unsolicited file
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/how-to-change-your-name-in-roblox-for-free-game-hack
    • http://gameanglinginstructors.co.uk/images/free-roblox-clothes-boy_GM431946152.pdf
    • http://gameanglinginstructors.co.uk/images/coin-master-hacked-apk-download-for-android_GM406889139.pdf
    • http://gameanglinginstructors.co.uk/images/coin-master-gold-cards-free-link_GM406889139.pdf
    • http://gameanglinginstructors.co.uk/images/i-cant-get-free-spins-coin-master_GM406889139.pdf
    • http://gameanglinginstructors.co.uk/images/roblox-free-wings_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000033b2.bin
5ba76f69aec7f3b19ec7f7e03bc415ae2e52475b19059da0a43f23e93b819a74		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x33B2 26968 bytes
font_01_sfnt_off00006f0f.bin
baad2f3f6808f4af03fa9398e38c580c8d846f7f773a947d8cc1f39b2753d31a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F0F 2844 bytes
font_02_sfnt_off000078d0.bin
f5fa8051516efdb430215c32221800eb8c82dc03f6476ac338efe693dcbf881c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78D0 19356 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.