Malicious PDF — malware analysis report

Static analysis result for SHA-256 91c34250cd759467…

MALICIOUS

PDF

44.4 KB Created: 2021-06-10 12:02:12 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 397ceab56166002c3ed8a7ac0abb2a39 SHA-1: c475aefed3561d4cf85784db5f196314d8fecccb SHA-256: 91c34250cd759467551bb307d31195b14ebba2779f4c971d7d622260db07b64c
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains lures related to free game items, specifically 'Roblox Milenario Headphones Free', and includes multiple embedded URLs pointing to similar content. Heuristics indicate the presence of external URIs and a general ML classification of maliciousness. The document body, though partially corrupted, contains references to download links and game hacks, suggesting a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9865

Heuristics 5

  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.tw/app/431946152/roblox-milenario-headphones-free-game-hack
    • http://e-pustaka.stkipadzkia.ac.id/repository/roblox-hack-ios_GM431946152.pdf
    • http://e-pustaka.stkipadzkia.ac.id/repository/how-do-you-get-free-robux_GM431946152.pdf
    • http://e-pustaka.stkipadzkia.ac.id/repository/coin-master-free-coins-link-2021-deutsch_GM406889139.pdf
    • http://e-pustaka.stkipadzkia.ac.id/repository/haktutsin-2021-09-coinmaster50freespinandcoinlinkhtml-m-1_GM406889139.pdf
    • http://e-pustaka.stkipadzkia.ac.id/repository/free-robux-no-generator_GM431946152.pdf
    • http://e-pustaka.stkipadzkia.ac.id/repository/robux-free-c_GM431946152.pdf
    • http://e-pustaka.stkipadzkia.ac.id/repository/coin-spin_GM406889139.pdf
    • http://e-pustaka.stkipadzkia.ac.id/repository/coinmaster-spin-ml-free_GM406889139.pdf
    • http://e-pustaka.stkipadzkia.ac.id/repository/tiktok-free-view-kreatif-lucu_GM835599320.pdf
    • http://e-pustaka.stkipadzkia.ac.id/repository/how-to-get-free-robux-fast_GM431946152.pdf
    • http://e-pustaka.stkipadzkia.ac.id/repository/robux-hack-no-human-verification-2021_GM431946152.pdf
    • http://e-pustaka.stkipadzkia.ac.id/repository/cheats-coin-master-free_GM406889139.pdf
    • http://e-pustaka.stkipadzkia.ac.id/repository/roblox-free-robux-hack-no-survey-no-download_GM431946152.pdf
    • http://e-pustaka.stkipadzkia.ac.id/repository/how-to-hack-roblox-accounts-on-phone_GM431946152.pdf
    • http://e-pustaka.stkipadzkia.ac.id/repository/minecraft-life-hacks_GM479516143.pdf
    • http://e-pustaka.stkipadzkia.ac.id/repository/earn-robux-websites_GM431946152.pdf
    • http://e-pustaka.stkipadzkia.ac.id/repository/coin-master-free-spins-iphone_GM406889139.pdf
    • http://e-pustaka.stkipadzkia.ac.id/repository/master-hack-coin_GM406889139.pdf
    • http://e-pustaka.stkipadzkia.ac.id/repository/free-coins-coin-master-link_GM406889139.pdf
    • http://e-pustaka.stkipadzkia.ac.id/repository/robux-prices_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00004f80.bin
a09fce8952e3504a3f49d85c630d03039d6c8566815abb6975f87ed201af1f42		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4F80 25636 bytes
font_01_sfnt_off000088d2.bin
c920639d7561e1372f2c7199630540fa3fb66dce45b7370f408ef80a4a1e1ea8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x88D2 19008 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.