Malicious PDF — malware analysis report

Static analysis result for SHA-256 7ef93b40e289e641…

MALICIOUS

PDF

250.3 KB Created: 2021-07-06 19:19:24 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 0f424235d1beae9651858c82d4c01e63 SHA-1: 650027507eb7787edbbc3544d69e16d51eebd47f SHA-256: 7ef93b40e289e641d8112f6b2d1730f02b000227c0c47e0196d945c89dff20ca
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a fake CAPTCHA and a download button lure, suggesting an attempt to trick the user into clicking a malicious link. The presence of MFA and advance-fee scam lures further indicates a phishing or scamming objective. The embedded URL points to a suspicious domain associated with game hacks, reinforcing the malicious intent.

Machine Learning

  • Nyx PDF Classifier clean score 0.0098

Heuristics 8

  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/1330123889/pubg-uc-carding-telegram-game-hack
    • http://perpustakaan.pa-dompu.go.id/repository/play-roblox-for-free-online-without-downloading_GM431946152.pdf
    • http://perpustakaan.pa-dompu.go.id/repository/is-there-any-virusfree-script-executor-for-roblox_GM431946152.pdf
    • http://perpustakaan.pa-dompu.go.id/repository/free-robux-ultimate-gamer-365-new_GM431946152.pdf
    • http://perpustakaan.pa-dompu.go.id/repository/how-to-actually-get-free-robux_GM431946152.pdf
    • http://perpustakaan.pa-dompu.go.id/repository/growbux-net-get-free-robux_GM431946152.pdf
    • http://perpustakaan.pa-dompu.go.id/repository/how-to-change-your-name-on-roblox-for-free_GM431946152.pdf
    • http://perpustakaan.pa-dompu.go.id/repository/free-robux-codes-2021-april-2021_GM431946152.pdf
    • http://perpustakaan.pa-dompu.go.id/repository/coin-master-hack-version-ios_GM406889139.pdf
    • http://perpustakaan.pa-dompu.go.id//repository/free-robux-no-verification-2021_GM431946152.pdf
    • http://perpustakaan.pa-dompu.go.id/repository/free-robux-gift-card-25_GM431946152.pdf
    • http://perpustakaan.pa-dompu.go.id//repository/wwwhaktutsin-2021-08-coinmasterfreespinandcoinlinkhtml-m-1_GM406889139.pdf
    • http://perpustakaan.pa-dompu.go.id/repository/free-robux-hack-us_GM431946152.pdf
    • http://perpustakaan.pa-dompu.go.id//repository/coin-master-free-spins-daily_GM406889139.pdf
    • http://perpustakaan.pa-dompu.go.id/repository/roblox-rifle-script-hack_GM431946152.pdf
    • http://perpustakaan.pa-dompu.go.id//repository/how-to-get-free-robux-no-scam_GM431946152.pdf
    • http://perpustakaan.pa-dompu.go.id/repository/roblox-get-free-animations_GM431946152.pdf
    • http://perpustakaan.pa-dompu.go.id/repository/roblox-hack-dll-script_GM431946152.pdf
    • http://perpustakaan.pa-dompu.go.id/repository/elemental-battle-grounds-hack-roblox_GM431946152.pdf
    • http://perpustakaan.pa-dompu.go.id/repository/free-accounts-that-have-robux_GM431946152.pdf
    • http://perpustakaan.pa-dompu.go.id/repository/hack-coin-master-for-iphone_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_024_off00037bb4.bin
5f093070c61ba2fcee7439713a618d15b2a46b8dccc2093c3bbaf7775a25d03e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x37BB4 26028 bytes
font_01_sfnt_off0003b8f1.bin
1902d0cc8051bf353b722d52704c1e396a1db1ddfc8b14912bfedac5415c4eab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3B8F1 18752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.