Malicious PDF — malware analysis report

Static analysis result for SHA-256 c70a08668271eb0d…

MALICIOUS

PDF

41.3 KB Created: 2021-05-17 05:20:48 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: db35fb4977e1b48a0d2c95f7eb284a9a SHA-1: 75e0eaebeb40d219f31cd6f2339fcca368245dc4 SHA-256: c70a08668271eb0d662fee00a5d8090bac03a24a8d55761ced2a972d30cf64d1
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The document contains numerous embedded URLs and a heuristic firing for 'SE_SECRET_RECOVERY_LURE', indicating it attempts to trick users into providing sensitive information or downloading further malware. The ML classifier also strongly flagged this PDF as malicious. The primary lure appears to be related to game cheats and currency for games like Coin Master and Roblox.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9971

Heuristics 4

  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/coin-master-hacks-no-surveys-game-hack
    • http://fishtech.is/images/get-free-robux-without-doing-anything_GM431946152.pdf
    • http://fishtech.is/images/free-robux-games_GM431946152.pdf
    • http://fishtech.is/images/robux-hacks-2021_GM431946152.pdf
    • http://fishtech.is/images/free-shirt-roblox_GM431946152.pdf
    • http://fishtech.is/images/free-roblox-accounts-with-robux-that-work-not-banned_GM431946152.pdf
    • http://fishtech.is/images/coin-master-apk-hack-mod-download_GM406889139.pdf
    • http://fishtech.is/images/robux-download_GM431946152.pdf
    • http://fishtech.is/images/coin-master-free-spins-and-coins-app_GM406889139.pdf
    • http://fishtech.is/images/free-roblox-gift-card-codes-2021-unused_GM431946152.pdf
    • http://fishtech.is/images/free-coins-coin-master-blog_GM406889139.pdf
    • http://fishtech.is/images/roblox-devil_GM431946152.pdf
    • http://fishtech.is/images/free-robux-games-that-actually-work_GM431946152.pdf
    • http://fishtech.is/images/free-coin-master-stuff_GM406889139.pdf
    • http://fishtech.is/images/free-spins-for-coin-master-that-work_GM406889139.pdf
    • http://fishtech.is/images/free-robux-com_GM431946152.pdf
    • http://fishtech.is/images/get-more-free-spins-on-coin-master_GM406889139.pdf
    • http://fishtech.is/images/coin-master-60-spins_GM406889139.pdf
    • http://fishtech.is/images/free-spins-on-coin-master-game_GM406889139.pdf
    • http://fishtech.is/images/free-spins-coin-master-october-17-2021_GM406889139.pdf
    • http://fishtech.is/images/free-robux-giveaway_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004665.bin
0fbebc729f6e005b89f2cba8094a95aa03427e0b28e064e48a2c1b369125e9b4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4665 25776 bytes
font_01_sfnt_off00007f56.bin
55a2c5e1b7f94918972dbf36de35b773a73c2c126b1f6e018f905b5ffe646750		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F56 18148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.