Malicious PDF — malware analysis report

Static analysis result for SHA-256 d9152b179918be64…

MALICIOUS

PDF

38.4 KB Created: 2021-05-21 11:33:45 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 79b840eebb0d33e5bd775d6214b28d03 SHA-1: 7cccd9de638a12dbb3b3db911a10fe43003d0e31 SHA-256: d9152b179918be6425013e6a091be4ab4781980a052f946616f4958e631669d5
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains multiple URLs pointing to potentially malicious content, disguised as game-related hacks or generators. The presence of a 'download button' heuristic and a 'password archive lure' suggests the document is designed to trick users into downloading and potentially decrypting a malicious payload. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9407

Heuristics 4

  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/roblox-script-hacks-game-hack
    • http://demenagementlandry.com/images/how-to-get-free-robux-instantly_GM431946152.pdf
    • http://demenagementlandry.com/images/free-tiktok-followers-500_GM835599320.pdf
    • http://demenagementlandry.com/images/minecraft-pocket-edition-free-apk_GM479516143.pdf
    • http://demenagementlandry.com/images/get-free-robux-2021_GM431946152.pdf
    • http://demenagementlandry.com/images/coin-master-hack-mod-apk-2021_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000033a3.bin
c7ebe55196fa8c5fd7acf0057c58cd32181aac96d293e8241700b5df71fe4f04		 pdf-font-stream PDF embedded font (sfnt) at offset 0x33A3 28924 bytes
font_01_sfnt_off000073d8.bin
535ec4be0d2657e9981f9200dcc4c4c41f6589372ce54f218017d5d6a2e1f0f5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x73D8 18580 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.