Malicious PDF — malware analysis report

Static analysis result for SHA-256 cf953d56b52c12e1…

MALICIOUS

PDF

226.9 KB Created: 2021-07-06 16:43:21 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: ea07728f9addfbfdf16b045d419baa76 SHA-1: 7a8ebec36ad0dbf0bcdf7a967a51cbb4c98b0394 SHA-256: cf953d56b52c12e1bde5b9842eb1e774367101d69ec752b88fbddb1c1a711474
132 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The PDF document contains heuristics indicating it presents a fake CAPTCHA and a download lure, aiming to trick users into installing browser extensions or plugins. The document body, though partially corrupted, includes a URL pointing to a resource related to game hacks, reinforcing the social engineering theme. The presence of multiple external URLs suggests an attempt to redirect the user to malicious sites.

Machine Learning

  • Nyx PDF Classifier clean score 0.0118

Heuristics 6

  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/1094591345/how-to-earn-free-pokeballs-in-pokemon-go-game-hack
    • http://lib.fekon.untad.ac.id/repository/earn-points-for-robux_GM431946152.pdf
    • http://lib.fekon.untad.ac.id/repository/all-free-skins-on-roblox-for-2021_GM431946152.pdf
    • http://lib.fekon.untad.ac.id/repository/minecraft-hacker-mask_GM479516143.pdf
    • http://lib.fekon.untad.ac.id/repository/bird-simulator-roblox-cheats_GM431946152.pdf
    • http://lib.fekon.untad.ac.id/repository/earn-free-robux-today_GM431946152.pdf
    • http://lib.fekon.untad.ac.id/repository/how-to-hack-a-group-on-roblox-to-own-it_GM431946152.pdf
    • http://lib.fekon.untad.ac.id/repository/tokyo-ghoul-roblox-hack_GM431946152.pdf
    • http://lib.fekon.untad.ac.id/repository/roblox-hack-me-robux_GM431946152.pdf
    • http://lib.fekon.untad.ac.id/repository/coin-master-daily-free-spins-25_GM406889139.pdf
    • http://lib.fekon.untad.ac.id/repository/free-robux-no-inspect-no-info_GM431946152.pdf
    • http://lib.fekon.untad.ac.id/repository/ways-to-get-robux-without-hacking_GM431946152.pdf
    • http://lib.fekon.untad.ac.id/repository/free-robux-come_GM431946152.pdf
    • http://lib.fekon.untad.ac.id/repository/how-do-u-get-free-robux_GM431946152.pdf
    • http://lib.fekon.untad.ac.id/repository/how-to-get-free-robux-2021-videos_GM431946152.pdf
    • http://lib.fekon.untad.ac.id/repository/hack-jump-roblox_GM431946152.pdf
    • http://lib.fekon.untad.ac.id/repository/roblox-lego-hack_GM431946152.pdf
    • http://lib.fekon.untad.ac.id/repository/roblox-robux-free-codes-2021_GM431946152.pdf
    • http://lib.fekon.untad.ac.id/repository/coin-master-gameplay_GM406889139.pdf
    • http://lib.fekon.untad.ac.id/repository/how-to-get-free-roblox_GM431946152.pdf
    • http://lib.fekon.untad.ac.id/repository/coin-master-free-spins-link-blogspot-today_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_023_off00031fa1.bin
5383d0815c7bd1a17889cea9becef37816b4a62881dab4bbf89e21acf71b0023		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x31FA1 25728 bytes
font_01_sfnt_off00035bc9.bin
0ea5a2b8e6f39a07c953cf08cdcaa8f90daf9943cd5fa6820fd62b3f91752d55		 pdf-font-stream PDF embedded font (sfnt) at offset 0x35BC9 18752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.