Malicious PDF — malware analysis report

Static analysis result for SHA-256 ba42fa2269c301b3…

MALICIOUS

PDF

250.7 KB Created: 2021-07-07 02:28:42 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: bb94b229a249a5f9bee55f28724945c6 SHA-1: a70410633d738c789949e7fb81f10d0dc55875ce SHA-256: ba42fa2269c301b32ed5d29895d92fe9fcb484110f80aff8968760c7c16fde0e
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document exhibits characteristics of a social engineering attack, employing a fake CAPTCHA and an advance-fee scam lure related to game currency generators. It contains an embedded URI pointing to a suspicious domain, likely serving as a download link for a secondary payload. The document's content and heuristics strongly suggest an attempt to trick the user into executing malicious code.

Machine Learning

  • Nyx PDF Classifier clean score 0.0098

Heuristics 7

  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/1330123889/pubg-uc-online-generator-game-hack
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/how-to-get-free-robux-without-verifying-2021_GM431946152.pdf
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/robux-app_GM431946152.pdf
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/auto-clicker-hack-roblox-download_GM431946152.pdf
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/how-to-get-minecraft-bedrock-edition-for-free_GM479516143.pdf
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/get-free-robux-at_GM431946152.pdf
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/free-robux-generator_GM431946152.pdf
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/jouer-avec-manette-free-roblox_GM431946152.pdf
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/free-minecraft-website_GM479516143.pdf
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/real-roblox_GM431946152.pdf
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/roblox-colouring-in-pages-free_GM431946152.pdf
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/easy-way-to-get-free-robux_GM431946152.pdf
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/hack-roblox-dl_GM431946152.pdf
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/how-to-hack-a-roblox-account-easy_GM431946152.pdf
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/roblox-piano-hack-script_GM431946152.pdf
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/sword-roblox-free_GM431946152.pdf
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/coin-master-hacked-apk-download-for-android_GM406889139.pdf
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/coin-master-unlimited-free-spins-link-2021_GM406889139.pdf
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/free-chest-coin-master_GM406889139.pdf
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/how-to-get-1-million-robux-for-free-2021_GM431946152.pdf
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/is-there-a-way-to-get-free-robux_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_024_off00037d9e.bin
4a74cf05c9cc4041ab766ce2038297c21787c06287bc0abc747470bc2a5954f1		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x37D9E 25928 bytes
font_01_sfnt_off0003bab2.bin
b1ea124968d6374cca652057fd487bfd2f5e1d59e9bfcb62a4aa290c5f0d05d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3BAB2 18564 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.