Malicious PDF — malware analysis report

Static analysis result for SHA-256 5cb04ffa84c2984e…

MALICIOUS

PDF

228.0 KB Created: 2021-07-03 19:33:51 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 9bc483e16f78ca776e9fbc9215ed294a SHA-1: ac1525c7d09aa8837501abc58d26c83bbf8b42b6 SHA-256: 5cb04ffa84c2984e7c90452838678338fb89b263f09bdb6e25994c9f4d1e62c6
132 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document employs social engineering tactics, presenting a fake CAPTCHA and a browser extension installation lure to deceive the user. It directs the user to the URL http://netcdn.tw/app/1094591345/how-to-get-a-free-remote-raid-pass-game-hack, which likely hosts a payload or further phishing content. The document's content and heuristics strongly suggest an attempt to trick users into downloading or executing malicious content under the guise of obtaining free game items.

Machine Learning

  • Nyx PDF Classifier clean score 0.0117

Heuristics 6

  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/1094591345/how-to-get-a-free-remote-raid-pass-game-hack
    • http://elearning.mtsn2kotapalu.sch.id/__statics/gudangsoal/files/minecraft-skins-free-girl_GM479516143.pdf
    • http://elearning.mtsn2kotapalu.sch.id/__statics/gudangsoal/files/earn-free-spins-coin-master_GM406889139.pdf
    • http://elearning.mtsn2kotapalu.sch.id/__statics/gudangsoal/files/free-pet-treats-coin-master_GM406889139.pdf
    • http://elearning.mtsn2kotapalu.sch.id/__statics/gudangsoal/files/roblox-promo-codes-for-free-robux_GM431946152.pdf
    • http://elearning.mtsn2kotapalu.sch.id/__statics/gudangsoal/files/get-free-money-on-adopt-ke-roblox_GM431946152.pdf
    • http://elearning.mtsn2kotapalu.sch.id/__statics/gudangsoal/files/how-to-make-a-private-server-in-roblox-for-free_GM431946152.pdf
    • http://elearning.mtsn2kotapalu.sch.id/__statics/gudangsoal/files/earn-free-robux-for-roblox_GM431946152.pdf
    • http://elearning.mtsn2kotapalu.sch.id/__statics/gudangsoal/files/coin-master-gold-cards-free_GM406889139.pdf
    • http://elearning.mtsn2kotapalu.sch.id/__statics/gudangsoal/files/hack-para-assassin-roblox_GM431946152.pdf
    • http://elearning.mtsn2kotapalu.sch.id/__statics/gudangsoal/files/a-hack-to-get-free-robux_GM431946152.pdf
    • http://elearning.mtsn2kotapalu.sch.id/__statics/gudangsoal/files/roblox-hack-download-pc_GM431946152.pdf
    • http://elearning.mtsn2kotapalu.sch.id/__statics/gudangsoal/files/how-to-hack-roblox-pet-sim_GM431946152.pdf
    • http://elearning.mtsn2kotapalu.sch.id/__statics/gudangsoal/files/free-rememendem-toys-roblox_GM431946152.pdf
    • http://elearning.mtsn2kotapalu.sch.id/__statics/gudangsoal/files/coin-master-unlimited-free-spins-link-2021_GM406889139.pdf
    • http://elearning.mtsn2kotapalu.sch.id/__statics/gudangsoal/files/how-to-ban-or-kick-in-servers-roblox-hack-scrip_GM431946152.pdf
    • http://elearning.mtsn2kotapalu.sch.id/__statics/gudangsoal/files/coin-master-hack-apk-july-2021_GM406889139.pdf
    • http://elearning.mtsn2kotapalu.sch.id/__statics/gudangsoal/files/how-to-hack-goggle-systems-in-roblox_GM431946152.pdf
    • http://elearning.mtsn2kotapalu.sch.id/__statics/gudangsoal/files/coin-master-free-chest-link_GM406889139.pdf
    • http://elearning.mtsn2kotapalu.sch.id/__statics/gudangsoal/files/make-free-robux_GM431946152.pdf
    • http://elearning.mtsn2kotapalu.sch.id/__statics/gudangsoal/files/como-hackear-roblox-con-cheat-engine-68_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_023_off00032403.bin
558781ce05c64f55bbee9bf8ab341fb3216e1dc7c7ed3ae30a5ed6db02d70443		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x32403 25576 bytes
font_01_sfnt_off00035ff2.bin
c5b3907b683f7b43d02c5d1ad9f9bd814157124042f8eab5079115382ea780b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x35FF2 18748 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.