Malicious PDF — malware analysis report

Static analysis result for SHA-256 74851b5c2df200d3…

MALICIOUS

PDF

48.1 KB Created: 2021-04-30 02:39:00 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: cb6fa4ad97058ddd82fc2bc24c99b14a SHA-1: 0cc3e4ae3c53c2861989ebaa6d8d64994951bb42 SHA-256: 74851b5c2df200d3b98f2d9e032402ce3a73193b5436f49db6752c1e5286dcee
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document was flagged by an ML classifier as malicious. It contains multiple embedded URLs that lead to pages offering game hacks, and the document body itself contains similar links. The heuristics indicate the document uses urgency and download lures, and suggests a password-protected archive handoff, a common technique to bypass security gateways. The presence of embedded URLs and the ML classification strongly suggest this document is part of a malware distribution chain.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9940

Heuristics 5

  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/descargar-roblox-hackeado-adopt-me-para-pc-game-hack PDF link annotation
    • https://www.malesse.com/ckfinder/userfiles/files/robux-hack-no-survey-no-download.pdfIn PDF document text
    • https://www.malesse.com/ckfinder/userfiles/files/free-roblox-accounts-with-robux-list.pdfIn PDF document text
    • https://www.malesse.com/ckfinder/userfiles/files/free-robux-no-virus-hax-free.pdfIn PDF document text
    • https://www.malesse.com/ckfinder/userfiles/files/google-how-do-i-get-free-robux-on-roblox.pdfIn PDF document text
    • https://www.malesse.com/ckfinder/userfiles/files/island-royale-roblox-free.pdfIn PDF document text
    • https://www.malesse.com/ckfinder/userfiles/files/how-to-make-free-admin-game-roblox.pdfIn PDF document text
    • https://www.malesse.com/ckfinder/userfiles/files/roblox-login-free-robux.pdfIn PDF document text
    • https://www.malesse.com/ckfinder/userfiles/files/visea-descargar-hack-roblox.pdfIn PDF document text
    • https://www.malesse.com/ckfinder/userfiles/files/no-virus-hack-roblox.pdfIn PDF document text
    • https://www.malesse.com/ckfinder/userfiles/files/phoenix-signs-hack-roblox-account.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off000043b0.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x43B0 38900 bytes
SHA-256: 1a28d48ec23d5f75630a517847c14ea483ae8284abfb40c7f2ccd3798742d78c
font_01_sfnt_off0000975e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x975E 19440 bytes
SHA-256: 5a8bb2717ddf401007c54d0259de3e90fa3114fe5f745b3c9e09c6e4fc96055c

Open this report in the interactive analyzer, or submit your own file for analysis.