Malicious PDF — malware analysis report

Static analysis result for SHA-256 95eeb430bc457489…

MALICIOUS

PDF

41.1 KB Created: 2021-04-29 19:13:44 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 4bcd4f995c054ac77159fce6879f6712 SHA-1: bf24692ae05831b60c56e02640cda2fd391d30cc SHA-256: 95eeb430bc457489c3af1b1201e70d4142ab01be18fa526d5d9411098bf43f34
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The document employs a social engineering tactic by presenting a lure for free in-game currency, directing the user to click a link to download a potentially malicious file. The ML classifier strongly flagged this PDF as malicious, and the presence of multiple URLs associated with game cheats and hacks further supports a malicious intent. The document body contains text and links that attempt to trick the user into downloading a payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9941

Heuristics 5

  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/keisyo-robux-for-free-from-code-keisyo-game-hack
    • https://lib-stie.yai.ac.id/repository/roblox-retail-tycoon-money-cheat.pdf
    • https://lib-stie.yai.ac.id/repository/free-roblox-bot-accounts.pdf
    • https://lib-stie.yai.ac.id/repository/roblox-booga-booga-hack-script-2021.pdf
    • https://lib-stie.yai.ac.id/repository/roblox-free-game-card-25.pdf
    • https://lib-stie.yai.ac.id/repository/get-free-roblox-avatar-items.pdf
    • https://lib-stie.yai.ac.id/repository/how-to-get-1-million-robux-for-free-2021.pdf
    • https://lib-stie.yai.ac.id/repository/show-me-how-to-get-free-robux.pdf
    • https://lib-stie.yai.ac.id/repository/roblox-robux-hack-no-human-verification-or-survey.pdf
    • https://lib-stie.yai.ac.id/repository/cheat-roblox-pc-phantom-forces.pdf
    • https://lib-stie.yai.ac.id/repository/cheat-roblox-lumber-tycoon-2-indonesia.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004409.bin
72c595775f71ee409051cb5d59fc2bb8bf5251333f857d7a7804a5b7c8bc4206		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4409 24936 bytes
font_01_sfnt_off00007d95.bin
de4784412e46833aa2aa4f67c6f6a15d2c6ca3000c5e14f247bed743b0e28d0d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D95 18748 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.