Malicious PDF — malware analysis report

Static analysis result for SHA-256 b69499947ed963ef…

MALICIOUS

PDF

47.5 KB Created: 2021-06-09 13:33:55 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 2b89da993028d2fbe7f74bb380531cc8 SHA-1: af311980c61dddfad0b62cdcc87580a262703b47 SHA-256: b69499947ed963ef686c61699b61ab0ba874a4db7eb4681973c45d760b465daf
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document employs a social engineering lure, instructing the user to install a browser extension or update to view content, which is a common tactic for credential theft or malware delivery. The document contains an embedded URI pointing to a URL that appears to be related to game hacking, further supporting the malicious intent. While no scripts were explicitly extracted, the ML classifier and heuristic firings strongly indicate malicious behavior, likely involving the download of a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9769

Heuristics 4

  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.tw/app/431946152/how-to-hack-a-youtuber-in-roblox-game-hack
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/coin-master-blogspot_GM406889139.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/free-robux-no-human-verification-or-survey-2021_GM431946152.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/coin-master-free-coins_GM406889139.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/free-spins-coin-master-2021_GM406889139.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/rbxoffer-com-free-robux_GM431946152.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/get-free-robux-com_GM431946152.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/roblox-hack-download_GM431946152.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/free-robux-without-offers_GM431946152.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/how-do-you-get-free-robux-2021_GM431946152.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/free-robux-gift-card-codes_GM431946152.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/robux-miner_GM431946152.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/minecraft-pe-free_GM479516143.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/coin-master-free-spin-and-coins-links-home_GM406889139.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/coin-master-free-spins-for-iphone_GM406889139.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/coin-master-club-hack_GM406889139.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/how-to-get-free-robux-2021-no-human-verification_GM431946152.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/minecraft-dungeons-download-free_GM479516143.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/real-robux-codes_GM431946152.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/free-robux-youtube_GM431946152.pdf
    • http://preverjaboticabal.com.br/assets/uploads/canal_alpha/files/roblox-guess-the-emoji-cheat_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off000052f5.bin
504b620ce13102ed79fa893418357bb177d7da6bbe85f37ac37f0f254b52e88e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x52F5 24856 bytes
font_01_sfnt_off00008b99.bin
baad2f3f6808f4af03fa9398e38c580c8d846f7f773a947d8cc1f39b2753d31a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8B99 2844 bytes
font_02_sfnt_off0000955b.bin
98dd7e3fb3b9e5c9f08263def463aa5dafe808db68f733ccd2ac8805cf3df98d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x955B 18752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.