Malicious PDF — malware analysis report

Static analysis result for SHA-256 ec29f93bd0d6191e…

MALICIOUS

PDF

35.1 KB Created: 2021-07-01 21:57:44 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-18
MD5: 968432da65844bbb060112b6fdc63598 SHA-1: 5a83230fd3b6eff3ddf25c3fae1ad68f797ffdf6 SHA-256: ec29f93bd0d6191ed0a81e5d68b016b40007ffbe785a22af8c28604d72745410
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains numerous links to external resources, including a known malicious redirector at http://netcdn.co/app/431946152/jailbreak-roblox.com-cheats-game-hack and an IP address at http://103.68.2.77. These links are presented as download opportunities for game cheats and hacks, indicating a social engineering lure. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/jailbreak-roblox.com-cheats-game-hack In PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/roblox-xyz-hack_GM431946152.pdfPDF link annotation
    • http://103.68.2.77/__statics/gudangsoal/files/vip-roblox-free_GM431946152.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/roblox-hack_GM431946152.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/free-robux-hacker-us_GM431946152.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/how-to-get-free-robux-with-inspect-2021_GM431946152.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/how-to-hack-roblox-mobile-with-cydia_GM431946152.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/roblox-pink-free-robux_GM431946152.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/get-free-roblox-robux-on-therobuxapp-com_GM431946152.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/free-robux-and-builders-club-hack_GM431946152.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/are-roblox-hack-clients-a-thing_GM431946152.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/roblox-scripts-download-for-free_GM431946152.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/free-robux-no-human-verification-no-survey_GM431946152.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/how-to-get-free-minecoins-in-minecraft_GM479516143.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/free-tiktok-likes-2021_GM835599320.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/roblox-adopt-me-free-vbucks_GM431946152.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/classic-minecraft-net-hacks_GM479516143.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/how-to-speed-hack-in-roblox-booga-booga_GM431946152.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/is-atticus129-roblox-profile-hacked_GM431946152.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/get-minecraft-for-free_GM479516143.pdfIn PDF document text
    • http://103.68.2.77/__statics/gudangsoal/files/how-to-hack-into-someones-roblox-account_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000309a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x309A 22668 bytes
SHA-256: 1c46461dd473883580bf7cec278e2914976ac77e9d1f9cb7a074754c60c6d211
font_01_sfnt_off000062d9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x62D9 19540 bytes
SHA-256: 08933771a549bd0516f7ad2455b1d8b0e942bdd9efc165c09e6b902d5fbe79b1