Malicious PDF — malware analysis report

Static analysis result for SHA-256 e6eb7a2b51564893…

MALICIOUS

PDF

35.2 KB Created: 2021-07-04 02:55:42 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-13
MD5: ba56ab3d42241819962790985f7d16ba SHA-1: 6ae50243f8a8bc745c613635399a23371bfbc505 SHA-256: e6eb7a2b5156489383a3ea58ffc156ed5bfc8ed67f26c13e7337ea56f8c25cbc
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains embedded URLs and lures users with promises of free in-game items for popular games. The ML classifier strongly indicated maliciousness, and the presence of external URIs suggests the document is designed to redirect users to malicious sites. The document body and heuristics indicate a social engineering tactic to trick users into downloading potentially malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/431946152/roblox-free-skin-game-hack PDF link annotation
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/coin-master-free-spins-link-download-hack_GM406889139.pdfIn PDF document text
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/how-to-get-bc-for-free-on-roblox-2021_GM431946152.pdfIn PDF document text
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/free-robux-with-no-verification_GM431946152.pdfIn PDF document text
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/free-roblox-game-card-pins_GM431946152.pdfIn PDF document text
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/roblox-mobile-hack_GM431946152.pdfIn PDF document text
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/free-unlimited-coins-for-coin-master_GM406889139.pdfIn PDF document text
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/free-robux-please_GM431946152.pdfIn PDF document text
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/free-minecraft-account-and-password-generator_GM479516143.pdfIn PDF document text
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/is-there-a-free-version-of-minecraft_GM479516143.pdfIn PDF document text
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/free-roblox-gfx_GM431946152.pdfIn PDF document text
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/roblox-hacked-accounts-list-2021_GM431946152.pdfIn PDF document text
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/how-to-get-roebucks_GM431946152.pdfIn PDF document text
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/can-you-give-me-robux_GM431946152.pdfIn PDF document text
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/how-to-get-free-shirts-on-roblox_GM431946152.pdfIn PDF document text
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/coin-master-attack-block-hack_GM406889139.pdfIn PDF document text
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/coin-master-online-hack-download_GM406889139.pdfIn PDF document text
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/coin-master-free-spin-ml_GM406889139.pdfIn PDF document text
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/coin-master-hack-apk-2021_GM406889139.pdfIn PDF document text
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/10-roblox-games-that-give-free-robux-2021-febuary_GM431946152.pdfIn PDF document text
    • https://www.andhrarealty.in/uploaded_files/userfiles/files/easy-points-gg_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003141.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3141 23128 bytes
SHA-256: 3dfabf71c6af04074fc9ce557987b90446c1fa5a54b333e4fcf152bf23cf3ee8
font_01_sfnt_off00006512.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6512 18940 bytes
SHA-256: b5d8babfaa30c4b2b95342cf49a53600ebe9e41e04f3214303634a02cb80832e

Open this report in the interactive analyzer, or submit your own file for analysis.