Malicious PDF — malware analysis report

Static analysis result for SHA-256 eea98b994ec722d6…

MALICIOUS

PDF

41.8 KB Created: 2021-05-02 07:56:29 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: ba114bbd7047324ef7de2d6fcbaf8792 SHA-1: 7ba808d8d1a833f58c90c5b9372e1928d722dcb8 SHA-256: eea98b994ec722d6ae01781307acb9d79769e4b560417b653c081021000e270b
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document uses a social engineering lure, specifically a browser extension/update installation lure, to trick users into downloading potentially malicious content. The document contains multiple embedded URLs, one of which is directly associated with a lure for free tolls in a Roblox game, suggesting a phishing or malware distribution attempt. The ML classifier also flagged this PDF as malicious with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9941

Heuristics 4

  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/free-tolls-roblox-ultimate-driving-game-hack
    • https://lib-stie.yai.ac.id/repository/auto-clicker-roblox-free.pdf
    • https://lib-stie.yai.ac.id/repository/free-robux-no-human-verification-no-survey-2021-no-password.pdf
    • https://lib-stie.yai.ac.id/repository/free-draw-on-roblox.pdf
    • https://lib-stie.yai.ac.id/repository/roblox-hack-freecam.pdf
    • https://lib-stie.yai.ac.id/repository/roblox-lumber-tycoon-money-hack.pdf
    • https://lib-stie.yai.ac.id/repository/is-roblox-being-hacked-2021.pdf
    • https://lib-stie.yai.ac.id/repository/free-robux-generator-no-apps.pdf
    • https://lib-stie.yai.ac.id/repository/how-to-hack-roblox-for-free-robux-2021.pdf
    • https://lib-stie.yai.ac.id/repository/instalar-roblox-free.pdf
    • https://lib-stie.yai.ac.id/repository/roblox-the-pizzeria-rp-remastered-coins-hack-script-pastebin.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off0000410d.bin
ac522cdc421ee87243a7ff00e32acd5c7ab07f540d11fce9e8c4d273eae3eef4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x410D 26780 bytes
font_01_sfnt_off00007e3f.bin
dc5a719c0319b7dcca956acb668460ad7ce48a4ba2acf510de9562f8dd00aaa1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E3F 19416 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.