Malicious PDF — malware analysis report

Static analysis result for SHA-256 68ae9235fb93abc0…

MALICIOUS

PDF

35.2 KB Created: 2021-06-23 09:27:51 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-15
MD5: 587160e570da60d194c62a5d1e7dbb01 SHA-1: ed4cf72c5d0f76ef65bfaf410352edb8b1f160b0 SHA-256: 68ae9235fb93abc0fbb406f88c9575cc7fa6d044b3987063364a48d2ed5485e0
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded links that redirect to malicious infrastructure, specifically targeting users interested in game cheats and hacks. The ML classifier strongly flagged this PDF as malicious, and the presence of a visual download button further supports a social engineering lure. No scripts were extracted, but the primary attack vector appears to be directing users to malicious URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/how-to-hack-roblox-with-cheat-engine-6.3-game-hack In PDF document text
    • http://perpustakaan.poltekom.ac.id/repository/free-robux-by-watching-ads_GM431946152.pdfIn PDF document text
    • http://perpustakaan.poltekom.ac.id/repository/coin-master-hack-mod_GM406889139.pdfIn PDF document text
    • http://perpustakaan.poltekom.ac.id/repository/coin-master-free-spins-link-31-march-2021_GM406889139.pdfIn PDF document text
    • http://perpustakaan.poltekom.ac.id/repository/mega-roblox-hack-engine_GM431946152.pdfIn PDF document text
    • http://perpustakaan.poltekom.ac.id/repository/free-name-snipes-roblox_GM431946152.pdfIn PDF document text
    • http://perpustakaan.poltekom.ac.id/repository/free-spin-link-for-coin-master_GM406889139.pdfIn PDF document text
    • http://perpustakaan.poltekom.ac.id/repository/how-to-make-ur-noclip-hack-undetectible-in-roblox_GM431946152.pdfIn PDF document text
    • http://perpustakaan.poltekom.ac.id/repository/free-robux-without-human-verification-2021_GM431946152.pdfIn PDF document text
    • http://perpustakaan.poltekom.ac.id/repository/how-to-get-to-village-3-in-coin-master_GM406889139.pdfIn PDF document text
    • http://perpustakaan.poltekom.ac.id/repository/roblox-cheats-for-robux-pc_GM431946152.pdfIn PDF document text
    • http://perpustakaan.poltekom.ac.id/repository/minecraft-server-hacks_GM479516143.pdfIn PDF document text
    • http://perpustakaan.poltekom.ac.id/repository/roblox-piano-hack_GM431946152.pdfIn PDF document text
    • http://perpustakaan.poltekom.ac.id/repository/roblox-generator-no-human-verification_GM431946152.pdfIn PDF document text
    • http://perpustakaan.poltekom.ac.id/repository/was-minecraft-ever-free_GM479516143.pdfIn PDF document text
    • http://perpustakaan.poltekom.ac.id/repository/free-robux-2021_GM431946152.pdfIn PDF document text
    • http://perpustakaan.poltekom.ac.id/repository/free-robux-2021-without-human-verification_GM431946152.pdfIn PDF document text
    • http://perpustakaan.poltekom.ac.id/repository/free-robux-clothes_GM431946152.pdfIn PDF document text
    • http://perpustakaan.poltekom.ac.id/repository/instagram-free-coin-master-spins_GM406889139.pdfIn PDF document text
    • http://perpustakaan.poltekom.ac.id/repository/www-rbx-com_GM431946152.pdfIn PDF document text
    • http://perpustakaan.poltekom.ac.id/repository/abstract-free-hack-roblox-download-safe_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000309f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x309F 22496 bytes
SHA-256: 1ed1466b412b0535b5add087f67fe24d9df41adcbd40e4e84cf3fed42cc955d6
font_01_sfnt_off0000623d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x623D 19816 bytes
SHA-256: 9e1ad3e676e6c77e8e8fbe98c0fc3ed22476bb1e2cd4d7403492ba62f95e2a99