Malicious PDF — malware analysis report

Static analysis result for SHA-256 ef9e3f99d099e1a1…

MALICIOUS

PDF

45.7 KB Created: 2021-06-10 14:07:25 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 8ce4058b46d895b4477c76aeca0dab1f SHA-1: e3d125af4b3cf9b2f0953621d8c4832fdbacd5d7 SHA-256: ef9e3f99d099e1a1949ada97b74857bfd6c5f8ccd88237cbf4018d3ea99b1f08
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document employs social engineering tactics, presenting a fake CAPTCHA and download button to trick users into believing they can get game hacks. The ML classifier strongly flagged this PDF as malicious, and the presence of numerous external URLs suggests a download or redirection attempt. While no scripts were explicitly extracted, the document's structure and embedded URLs indicate it's designed to lead users to malicious content, likely for credential theft or malware installation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9864

Heuristics 6

  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.tw/app/431946152/roblox-hack-robux-hack-no-verification-game-hack
    • http://arpinoturismo.it/images/codigo-hack-robux_GM431946152.pdf
    • http://arpinoturismo.it/images/free-spins-coin-master-november-2021_GM406889139.pdf
    • http://arpinoturismo.it/images/best-minecraft-hacked-client-2021_GM479516143.pdf
    • http://arpinoturismo.it/images/hack-to-get-money-in-gta-roblox_GM431946152.pdf
    • http://arpinoturismo.it/images/roblox-tix-generator_GM431946152.pdf
    • http://arpinoturismo.it/images/how-to-get-free-food-on-coin-master_GM406889139.pdf
    • http://arpinoturismo.it/images/minecraft-bedrock-edition-hacks_GM479516143.pdf
    • http://arpinoturismo.it/images/roblox-hacking-website_GM431946152.pdf
    • http://arpinoturismo.it/images/free-robux-just-click_GM431946152.pdf
    • http://arpinoturismo.it/images/free-robux-generator-no-verification_GM431946152.pdf
    • http://arpinoturismo.it/images/how-to-get-free-tiktok-coins_GM835599320.pdf
    • http://arpinoturismo.it/images/robloxmatchcom-free-robux_GM431946152.pdf
    • http://arpinoturismo.it/images/coin-master-hack-pro-gamers-com_GM406889139.pdf
    • http://arpinoturismo.it/images/free-download-roblox-pc_GM431946152.pdf
    • http://arpinoturismo.it/images/free-tiktok-likes-no-human-verification-or-downloading-apps_GM835599320.pdf
    • http://arpinoturismo.it/images/coin-master-free-spins-and-coins-2021_GM406889139.pdf
    • http://arpinoturismo.it/images/free-minecraft-java-edition_GM479516143.pdf
    • http://arpinoturismo.it/images/free-robux-without-offers_GM431946152.pdf
    • http://arpinoturismo.it/images/roblox-arsenal-hack-script-pastebin_GM431946152.pdf
    • http://arpinoturismo.it/images/minecraft-windows-10-edition-hacks_GM479516143.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0000532c.bin
fbffc7c26d2526fa16c843a5e2b2497890867daca199b41e6e1ddb52eea66eee		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x532C 26156 bytes
font_01_sfnt_off00008edb.bin
d009e0c28f241b20599f5a8cbfa6b67e8347ba7b43bcad07c86e5695ff4c82bc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8EDB 18680 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.