Malicious PDF — malware analysis report

Static analysis result for SHA-256 b9ccba02e74515b7…

MALICIOUS

PDF

43.0 KB Created: 2021-04-27 06:19:31 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-13
MD5: 5fc4fad89d7a35b47d8ec217dd2e35bc SHA-1: a6842a45fd7750ffb6944def04f7e5f0abc94e04 SHA-256: b9ccba02e74515b722e7abfef113cf27c4d6892928dcf74b929cbc6bfffe8a48
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains lures related to hacking Roblox accounts and prompts the user to click links to download files or install browser extensions. The ML classifier strongly flagged this PDF as malicious, and the presence of multiple external URLs suggests a download or redirection attempt. No scripts were extracted from this sample, but the document body and heuristics indicate a social engineering attack aiming to trick the user into downloading a payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9941

Heuristics 4

  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/how-to-hack-roblox-accounts-2021-inspect-game-hack PDF link annotation
    • https://lib-stie.yai.ac.id/repository/abs-t-shirt-roblox-free.pdfIn PDF document text
    • https://lib-stie.yai.ac.id/repository/how-to-get-free-robux-hack-ios.pdfIn PDF document text
    • https://lib-stie.yai.ac.id/repository/exploit-engine-roblox-free.pdfIn PDF document text
    • https://lib-stie.yai.ac.id/repository/codes-in-roblox-free.pdfIn PDF document text
    • https://lib-stie.yai.ac.id/repository/roblox-free-online-no-sign-up-or-download.pdfIn PDF document text
    • https://lib-stie.yai.ac.id/repository/roblox-ro-hacks.pdfIn PDF document text
    • https://lib-stie.yai.ac.id/repository/kazok-free-robux.pdfIn PDF document text
    • https://lib-stie.yai.ac.id/repository/how-to-hack-chaos-washers-on-roblox.pdfIn PDF document text
    • https://lib-stie.yai.ac.id/repository/roblox-hack-gui-scripts.pdfIn PDF document text
    • https://lib-stie.yai.ac.id/repository/roblox-hack-tool-no-survey-no-download.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000043af.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x43AF 28000 bytes
SHA-256: b902bb0062430321c09ad15791e7b036b647386129d31c1b2da81824684ed65f
font_01_sfnt_off00008376.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8376 19168 bytes
SHA-256: ea06e0f79a18da4f83effe2ad31a950f756dc3cb05ce6de53ae603fb83d2acf9

Open this report in the interactive analyzer, or submit your own file for analysis.