Malicious PDF — malware analysis report

Static analysis result for SHA-256 ae02b4111c319083…

MALICIOUS

PDF

41.9 KB Created: 2021-04-24 23:06:55 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 53b0ebfc6bfaeaa4781ccf1637c57b10 SHA-1: 24a43eb63c38bd203c9fbf1ccda7ec04ca518b9a SHA-256: ae02b4111c319083dfd5316ac5af4ea2e1d08f4648d177f6a53115e59c4adf11
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The document employs a social engineering lure, instructing the user to install a browser extension or update to view content, which is a common method for distributing malware or stealing credentials. The presence of multiple external URLs, including one pointing to a potential exploit or malware download, further supports this malicious intent. While no scripts were directly extracted, the PDF structure and embedded URLs suggest a malicious workflow, likely involving the download and execution of a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9941

Heuristics 4

  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/how-to-cheat-in-minerh-eaven-roblox-game-hack PDF link annotation
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/hacks-para-counter-blox-roblox.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/robux-hack-pro-tv.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/roblox-hack-robux-no-human-verification-2021.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/roblox-hacks-gratis.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/roblox-redeem-card-codes-free-2021.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/how-to-get-free-stuff-in-catalog-roblox-2021.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/do-you-want-tons-of-free-robux-copypasta.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/how-to-make-roblox-not-detect-cheat-engine.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/get-50-00-robux-free.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/free-roblox-accounts-with-obc-lifetime-2021.pdfIn PDF document text
    • https://robux-rank.comIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off0000436f.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x436F 26168 bytes
SHA-256: 7084ecf3e12b4cdcd820287ecbec6f0567dc115fd33277370ebbc044b0158757
font_01_sfnt_off0000804d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x804D 18876 bytes
SHA-256: fb24089c63f588af2dce5a016e34934929315d8c119313af87dfb08da2e64d9a