Malicious PDF — malware analysis report

Static analysis result for SHA-256 a416e2269b51eb47…

MALICIOUS

PDF

37.6 KB Created: 2021-05-24 00:19:13 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: f5a8c1775ac789df26a6e3ec1f6ed61a SHA-1: 6bf411039ababab97e390f6ca630303013be2577 SHA-256: a416e2269b51eb47517ef4a500fafd4fe3aa2e137bd0f2ce91339f6b6cc740dc
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains an embedded URL and a call-to-action phrase, suggesting a lure for downloading a payload. The heuristic indicating a security bypass instruction further supports a malicious intent. While no scripts were directly extracted, the presence of external URLs and the security bypass heuristic indicate the document is designed to trick the user into downloading and executing further malicious content, likely related to game cheats or similar lures.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9447

Heuristics 4

  • Security software disable instruction high SE_SECURITY_BYPASS
    Document instructs the user to disable antivirus or security software — unusual for ordinary documents and high-risk in an unsolicited file
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/rbl-gg-free-robux-game-hack
    • https://financia-business-school.com/static/upload/files/coin-master-free-100-spin_GM406889139.pdf
    • https://financia-business-school.com/static/upload/files/coin-master-free-spin-ml_GM406889139.pdf
    • https://financia-business-school.com/static/upload/files/games-like-coin-master_GM406889139.pdf
    • https://financia-business-school.com/static/upload/files/free-robux-no-downloading-apps_GM431946152.pdf
    • https://financia-business-school.com/static/upload/files/master-free-spin-and-coin-link_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003119.bin
b360358a2bc4a006721da2fe2337ba954aa8f51a1adf70c2e2d8135fcbdbbe5b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3119 28160 bytes
font_01_sfnt_off00007196.bin
36d8e5c8df31ce5774558eb4dff236d908794f1052653b7bf9d7a2310610d2b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7196 18376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.