PDF malware analysis — malicious · bea85b02435f91fb

MALICIOUS

PDF

46.9 KB Created: 2021-05-16 16:25:27 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)

MD5: ff546cd4ac0aa66cf4c7be898a5c185e SHA-1: d25e8544cf98ee746fbc22fef02d89d7eb01a74b SHA-256: bea85b02435f91fba2aedd652fc66a5ca3fc7353c3aa557f683ae1525ea19a62

82 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The document displays a fake CAPTCHA and contains numerous links to external websites, suggesting a social engineering attack. The presence of links related to game hacks and free items indicates a lure to trick users into downloading or visiting malicious sites. While no scripts were directly extracted, the PDF structure and embedded URLs strongly suggest an attempt to redirect users to potentially malicious content.

Machine Learning

Nyx PDF Classifier malicious score 0.8948

Heuristics 4

Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA

Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://netcdn.xyz/app/431946152/how-to-make-a-roblox-group-for-free-game-hack
- http://atmos-service.com/images/free-robux-com-no-verification_GM431946152.pdf
- http://atmos-service.com/images/robux-hack-free-robux_GM431946152.pdf
- http://atmos-service.com/images/roblox-hack-codes_GM431946152.pdf
- http://atmos-service.com/images/mcpe-optifine_GM479516143.pdf
- http://atmos-service.com/images/oprewards-free-robux_GM431946152.pdf
- http://atmos-service.com/images/coin-master-cheats_GM406889139.pdf
- http://atmos-service.com/images/how-to-get-free-spins-on-coin-master-hack_GM406889139.pdf
- http://atmos-service.com/images/how-to-get-free-robux-hack_GM431946152.pdf
- http://atmos-service.com/images/toolbox-apk_GM479516143.pdf
- http://atmos-service.com/images/free-minecraft-client_GM479516143.pdf
- http://atmos-service.com/images/how-to-get-a-lot-of-robux_GM431946152.pdf
- http://atmos-service.com/images/coin-master-hack-version-download-2021_GM406889139.pdf
- http://atmos-service.com/images/roblox-avatar-girl_GM431946152.pdf
- http://atmos-service.com/images/free-spins-and-coins-com_GM406889139.pdf
- http://atmos-service.com/images/blogspot-coin-master-free-spins_GM406889139.pdf
- http://atmos-service.com/images/free-spins-generated-from-coin-master_GM406889139.pdf
- http://atmos-service.com/images/code-free-robux_GM431946152.pdf
- http://atmos-service.com/images/coin-master-free-spins-2021-hack_GM406889139.pdf
- http://atmos-service.com/images/coin-master-free-spin-and-coin-link-haktuts-hacking-news_GM406889139.pdf
- http://atmos-service.com/images/how-to-get-spins-for-free-on-coin-master_GM406889139.pdf
- http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00004c01.bin` `459f34ab395c06ff53f29c3301502e0f9b87ae827d57eb68f114c2d2eb7ba1dc`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4C01	25496 bytes
`font_01_sfnt_off0000858c.bin` `450e3ee45915afe13702bf1d587eb8b9ad88a8d2113419ac9f2fd116a828e139`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x858C	5696 bytes
`font_02_sfnt_off0000929d.bin` `d86a0664516f84ca778de604dc8f5b6c02622b942defeefdc42ca528d3381c5a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x929D	19020 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.