Malicious PDF — malware analysis report

Static analysis result for SHA-256 c134a908e0ddcd4c…

MALICIOUS

PDF

44.6 KB Created: 2021-06-09 14:30:57 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: eb1ea2023c79c8ea0c3e29d0d885aa86 SHA-1: d09e71950e97d53cb032ba098cba706a486ce35c SHA-256: c134a908e0ddcd4cbfab8a50f10c7f5408fb7eb7c1bc7e26fe30c8672a06cf98
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF document exhibits malicious behavior by displaying a fake CAPTCHA to trick the user into interacting with the content. It also contains instructions to disable security software, indicating a clear intent to bypass defenses. The embedded URL points to a resource likely intended to deliver a secondary payload, suggesting a downloader or exploit delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9865

Heuristics 5

  • Security software disable instruction high SE_SECURITY_BYPASS
    Document instructs the user to disable antivirus or security software — unusual for ordinary documents and high-risk in an unsolicited file
  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.tw/app/431946152/free-obc-roblox-pastebin-game-hack
    • http://aks-akk.ac.id/html/perpusakk/repository/how-to-get-free-robux-copy-and-paste-2021_GM431946152.pdf
    • http://aks-akk.ac.id/html/perpusakk/repository/roblox-tree-planting-simulator-hacks-pastebin_GM431946152.pdf
    • http://aks-akk.ac.id/html/perpusakk/repository/roblox-money-hack-cheat-engine-64_GM431946152.pdf
    • http://aks-akk.ac.id/html/perpusakk/repository/roblox-kill-hack-script-fe_GM431946152.pdf
    • http://aks-akk.ac.id/html/perpusakk/repository/how-to-hack-plates-of-fate-roblox_GM431946152.pdf
    • http://aks-akk.ac.id/html/perpusakk/repository/roblox-project-jojo-free-items-exploit_GM431946152.pdf
    • http://aks-akk.ac.id/html/perpusakk/repository/free-promo-codes-roblox-2021-robux_GM431946152.pdf
    • http://aks-akk.ac.id/html/perpusakk/repository/free-robloxe_GM431946152.pdf
    • http://aks-akk.ac.id/html/perpusakk/repository/how-to-hack-a-roblox-account-2021-easy_GM431946152.pdf
    • http://aks-akk.ac.id/html/perpusakk/repository/check-crashed-roblox-hack_GM431946152.pdf
    • http://aks-akk.ac.id/html/perpusakk/repository/how-to-hack-diamonds-roblox-murder-mystery-2_GM431946152.pdf
    • http://aks-akk.ac.id/html/perpusakk/repository/roblox-robux-generator-best-hack_GM431946152.pdf
    • http://aks-akk.ac.id/html/perpusakk/repository/comment-cheater-sur-roblox-relail-ticoon_GM431946152.pdf
    • http://aks-akk.ac.id/html/perpusakk/repository/roblox-scp-site-61-card-hack_GM431946152.pdf
    • http://aks-akk.ac.id/html/perpusakk/repository/wheel-decide-roblox-free-robux_GM431946152.pdf
    • http://aks-akk.ac.id/html/perpusakk/repository/compile-roblox-hack-dll_GM431946152.pdf
    • http://aks-akk.ac.id/html/perpusakk/repository/free-dell-laptop-roblox_GM431946152.pdf
    • http://aks-akk.ac.id/html/perpusakk/repository/how-to-get-a-free-valk-on-roblox_GM431946152.pdf
    • http://aks-akk.ac.id/html/perpusakk/repository/free-robux-hack-tool_GM431946152.pdf
    • http://aks-akk.ac.id/html/perpusakk/repository/roblox-booga-booga-speed-hack-download_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00005178.bin
6079ae49a793771e3b0d7b67f2fec4c04d0df28f51b7fe47d7f4ef85f4d08264		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5178 24856 bytes
font_01_sfnt_off00008afb.bin
91d7e8c4e078214953fe9dd52da0026ca6ad2846029cbb33a0cf56433ac65027		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8AFB 18552 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.