Malicious PDF — malware analysis report

Static analysis result for SHA-256 abe1626d951288a8…

MALICIOUS

PDF

35.4 KB Created: 2021-06-29 21:25:28 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 8231a0b7f1ee523066699092151d5f90 SHA-1: d03d312e88bfdc7da0c1865c2088165a4b6c2e89 SHA-256: abe1626d951288a8dc5bda355ab1cb6f73b04292094f77db6d1ad092b14bf02f
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains numerous links and text referencing free game items and hacks for popular games like Roblox and Coin Master, indicating a phishing or scam attempt. The presence of a ML classifier flagging the PDF as malicious and heuristics detecting external URIs and command execution sequences further support this. Although no scripts were explicitly extracted, the document's structure and content suggest it is designed to trick users into downloading further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/are-there-free-roblox-game-game-hack
    • http://smagripadps.sch.id/new/public/ckfinder/userfiles/files/minecraft-pe-apk-free-download_GM479516143.pdf
    • http://smagripadps.sch.id/new/public/ckfinder/userfiles/files/free-limiteds-roblox_GM431946152.pdf
    • http://smagripadps.sch.id/new/public/ckfinder/userfiles/files/coin-master-hack-apk-35-8_GM406889139.pdf
    • http://smagripadps.sch.id/new/public/ckfinder/userfiles/files/how-to-unblock-roblox-hack-a-wifi-password-on-computer_GM431946152.pdf
    • http://smagripadps.sch.id/new/public/ckfinder/userfiles/files/free-robux-apps-that-work_GM431946152.pdf
    • http://smagripadps.sch.id/new/public/ckfinder/userfiles/files/free-robux-real_GM431946152.pdf
    • http://smagripadps.sch.id/new/public/ckfinder/userfiles/files/cmds-roblox-hack_GM431946152.pdf
    • http://smagripadps.sch.id/new/public/ckfinder/userfiles/files/how-to-hack-roblox-accounts_GM431946152.pdf
    • http://smagripadps.sch.id/new/public/ckfinder/userfiles/files/roblox-free-robux-no-real-money_GM431946152.pdf
    • http://smagripadps.sch.id/new/public/ckfinder/userfiles/files/hacked-version-off-assassin-roblox_GM431946152.pdf
    • http://smagripadps.sch.id/new/public/ckfinder/userfiles/files/free-robux-human-verification_GM431946152.pdf
    • http://smagripadps.sch.id/new/public/ckfinder/userfiles/files/google-coin-master-free-spins_GM406889139.pdf
    • http://smagripadps.sch.id/new/public/ckfinder/userfiles/files/hack-tutorial-xb-roblox_GM431946152.pdf
    • http://smagripadps.sch.id/new/public/ckfinder/userfiles/files/optifine-pe_GM479516143.pdf
    • http://smagripadps.sch.id/new/public/ckfinder/userfiles/files/give-me-free-robux_GM431946152.pdf
    • http://smagripadps.sch.id/new/public/ckfinder/userfiles/files/coin-master-hack-club_GM406889139.pdf
    • http://smagripadps.sch.id/new/public/ckfinder/userfiles/files/classic-minecraft-net-hacks_GM479516143.pdf
    • http://smagripadps.sch.id/new/public/ckfinder/userfiles/files/i-got-free-tbc-on-roblox_GM431946152.pdf
    • http://smagripadps.sch.id/new/public/ckfinder/userfiles/files/free-roblox-bugmenot_GM431946152.pdf
    • http://smagripadps.sch.id/new/public/ckfinder/userfiles/files/coin-master-free-spins-daily-fb-champion_GM406889139.pdf
    • http://smagripadps.sch.id/n
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000333b.bin
02cb0f0f375255f28c424619c374814107b1d0175a9e9c9e751270a42c20fc19		 pdf-font-stream PDF embedded font (sfnt) at offset 0x333B 22516 bytes
font_01_sfnt_off00006581.bin
bfdb225f1ad4e5ac17ebae8e653a0eda3db270cae00ba48890bdb6d0a0ba409c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6581 19076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.