Malicious PDF — malware analysis report

Static analysis result for SHA-256 bf6095e1c64b6c5c…

MALICIOUS

PDF

37.5 KB Created: 2021-07-02 05:23:47 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-15
MD5: 4dced45e2711798ebd1df0b4527142d8 SHA-1: 17b08a941b904e2c29900a1da89f6c6a50bf6451 SHA-256: bf6095e1c64b6c5c7054e1279fe08138c7a2cd8a88600c363299f5b6a04203bf
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains a launch action and embedded URLs that lead to sites offering 'Free Robux' and other game-related cheats, indicating a lure for potentially unwanted software or scams. The ML classifier strongly flagged this PDF as malicious, and the presence of multiple related URLs reinforces the malicious intent. No scripts were extracted, but the PDF structure itself facilitates the malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • Launch action high PDF_LAUNCH
    PDF contains a /Launch action with an unresolved or extension-less target — treat as potentially dangerous
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/free-robux-no-human-verification-2021-working-game-hack PDF link annotation
    • https://kaospartai-murah.com/ckfinder/userfiles/files/free-money-glitch-on-roblox-on-car-simulator_GM431946152.pdfIn PDF document text
    • https://kaospartai-murah.com/ckfinder/userfiles/files/roblox-person_GM431946152.pdfIn PDF document text
    • https://kaospartai-murah.com/ckfinder/userfiles/files/how-can-i-get-free-spins-on-coin-master_GM406889139.pdfIn PDF document text
    • https://kaospartai-murah.com/ckfinder/userfiles/files/minecraft-build-hacks_GM479516143.pdfIn PDF document text
    • https://kaospartai-murah.com/ckfinder/userfiles/files/minecraft-free-download-laptop_GM479516143.pdfIn PDF document text
    • https://kaospartai-murah.com/ckfinder/userfiles/files/calamari-free-roblox_GM431946152.pdfIn PDF document text
    • https://kaospartai-murah.com/ckfinder/userfiles/files/how-to-get-free-items-on-roblox_GM431946152.pdfIn PDF document text
    • https://kaospartai-murah.com/ckfinder/userfiles/files/free-roblox-ames_GM431946152.pdfIn PDF document text
    • https://kaospartai-murah.com/ckfinder/userfiles/files/daily-spin_GM406889139.pdfIn PDF document text
    • https://kaospartai-murah.com/ckfinder/userfiles/files/free-robux-today_GM431946152.pdfIn PDF document text
    • https://kaospartai-murah.com/ckfinder/userfiles/files/can-you-get-robux-for-free_GM431946152.pdfIn PDF document text
    • https://kaospartai-murah.com/ckfinder/userfiles/files/how-to-get-500-robux-for-free-2021_GM431946152.pdfIn PDF document text
    • https://kaospartai-murah.com/ckfinder/userfiles/files/earn-free-robux-today_GM431946152.pdfIn PDF document text
    • https://kaospartai-murah.com/ckfinder/userfiles/files/coin-master-free-spin-and-coins-links-2021_GM406889139.pdfIn PDF document text
    • https://kaospartai-murah.com/ckfinder/userfiles/files/launch-hack-roblox_GM431946152.pdfIn PDF document text
    • https://kaospartai-murah.com/ckfinder/userfiles/files/free-rthro-packages-roblox_GM431946152.pdfIn PDF document text
    • https://kaospartai-murah.com/ckfinder/userfiles/files/download-coin-master-free-spins-link-2021-today_GM406889139.pdfIn PDF document text
    • https://kaospartai-murah.com/ckfinder/userfiles/files/free-robux-2021-no-verification_GM431946152.pdfIn PDF document text
    • https://kaospartai-murah.com/ckfinder/userfiles/files/free-horror-games-multiplayer-roblox_GM431946152.pdfIn PDF document text
    • https://kaospartai-murah.com/ckfinder/userfiles/files/roblox-hacked-online-game_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000036da.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x36DA 22928 bytes
SHA-256: 9e9cfe09c17147e6547f8115d7791bdf7dff886ebd7e277cd391aede36b25e60
font_01_sfnt_off00006a93.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6A93 20104 bytes
SHA-256: 0389ba2dac7d80bce25185efcb80c81d0ae8ae311786014dc727ec60a5e7217c

Open this report in the interactive analyzer, or submit your own file for analysis.