Malicious PDF — malware analysis report

Static analysis result for SHA-256 d0ac1c1e5c80764d…

MALICIOUS

PDF

40.5 KB Created: 2021-05-20 21:11:44 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: dda5c3fd5043508336d4d3ec409667c2 SHA-1: 880cde8a6c025546c037d2bd846ec0cc68728a07 SHA-256: d0ac1c1e5c80764d60e18f289f88578b8147a47c42e92a32d7db18e2966ed227
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a PDF document that displays a fake CAPTCHA to trick the user into interacting with it, likely to initiate a download. It contains an external URI pointing to a URL associated with 'free robux hacks', which is a common lure for malicious content. The ML classifier also flagged this PDF as malicious with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9513

Heuristics 4

  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/roblox-group-free-robux-game-hack
    • https://www.stileadda.com/uploaded_files/userfiles/files/free-promo-codes-for-coin-master_GM406889139.pdf
    • https://www.stileadda.com/uploaded_files/userfiles/files/how-to-hack-coin-master-spin-ios_GM406889139.pdf
    • https://www.stileadda.com/uploaded_files/userfiles/files/how-to-get-free-robux-easy-hack_GM431946152.pdf
    • https://www.stileadda.com/uploaded_files/userfiles/files/free-robux-roblox-promo-codes_GM431946152.pdf
    • https://www.stileadda.com/uploaded_files/userfiles/files/classic-minecraft-net-hacks_GM479516143.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003ff0.bin
7a914e3e20d1b28da83ffa61f1de81965429616db9e9d3289786b88912a00094		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3FF0 27528 bytes
font_01_sfnt_off00007d83.bin
b2792b9995997ff68e5dfa2acea2bbc639d657441038e216f117c3302624ca62		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D83 18264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.