Malicious PDF — malware analysis report

Static analysis result for SHA-256 8a74607a7696c102…

MALICIOUS

PDF

47.3 KB Created: 2021-06-09 00:32:55 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 37c7bca11d63b6669aec99bd072800b5 SHA-1: f8fd880a05e2d98438c586b7a30f5d2f5aa7b218 SHA-256: 8a74607a7696c102c5af302f5222ee760af98da8abc827c027057284d7bcadcf
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The document presents a fake CAPTCHA to trick the user into clicking a link, which is a common social engineering tactic. The embedded URL and numerous other URLs point to domains hosting potentially malicious content, likely for downloading further stages. The ML classifier also flagged this PDF as malicious, increasing confidence in its malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9769

Heuristics 4

  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.tw/app/431946152/how-to-type-like-a-hacker-in-roblox-game-hack PDF link annotation
    • http://abris-jardin.be/images/roblox36com-free-robux_GM431946152.pdfIn PDF document text
    • http://abris-jardin.be/images/10-robux_GM431946152.pdfIn PDF document text
    • http://abris-jardin.be/images/mine-minecraft-games-for-free_GM479516143.pdfIn PDF document text
    • http://abris-jardin.be/images/can-i-play-roblox-for-free_GM431946152.pdfIn PDF document text
    • http://abris-jardin.be/images/get-free-robux-generator_GM431946152.pdfIn PDF document text
    • http://abris-jardin.be/images/how-to-get-minecraft-for-free-on-android_GM479516143.pdfIn PDF document text
    • http://abris-jardin.be/images/free-robux-generator-2021_GM431946152.pdfIn PDF document text
    • http://abris-jardin.be/images/how-to-get-free-robux-not-a-scam_GM431946152.pdfIn PDF document text
    • http://abris-jardin.be/images/daily-free-spin-link-for-coin-master_GM406889139.pdfIn PDF document text
    • http://abris-jardin.be/images/free-robux-glitch-2021_GM431946152.pdfIn PDF document text
    • http://abris-jardin.be/images/how-to-hack-roblox-to-get-robux_GM431946152.pdfIn PDF document text
    • http://abris-jardin.be/images/free-robux-hack-2021_GM431946152.pdfIn PDF document text
    • http://abris-jardin.be/images/descargar-hack-coin-master_GM406889139.pdfIn PDF document text
    • http://abris-jardin.be/images/free-robux-without-offers_GM431946152.pdfIn PDF document text
    • http://abris-jardin.be/images/how-to-hack-and-get-free-robux_GM431946152.pdfIn PDF document text
    • http://abris-jardin.be/images/how-to-get-verified-on-tiktok-for-free-2021_GM835599320.pdfIn PDF document text
    • http://abris-jardin.be/images/easy-robux_GM431946152.pdfIn PDF document text
    • http://abris-jardin.be/images/coin-master-free-coins-2021_GM406889139.pdfIn PDF document text
    • http://abris-jardin.be/images/mcpe-master-unlimited-coins-free-download_GM406889139.pdfIn PDF document text
    • http://abris-jardin.be/images/free-robux-games-on-roblox_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00005072.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5072 25724 bytes
SHA-256: e4e35d4d4741395ecfc1f4af89a976b776b54163c3723611baebf9001fb968a8
font_01_sfnt_off00008a58.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8A58 2912 bytes
SHA-256: 02b35010e2614e3cc95ac6414c49295350c91fdfcc4b4cad27ffdbc10e80df7f
font_02_sfnt_off00009455.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9455 18824 bytes
SHA-256: dd0da2fcac1c94a4431f41b1186382c4a2cc4d801b3f91765264c69307d97fdf

Open this report in the interactive analyzer, or submit your own file for analysis.