Malicious PDF — malware analysis report

Static analysis result for SHA-256 fdb3b76f0852945e…

MALICIOUS

PDF

34.5 KB Created: 2021-06-28 01:22:19 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: a2e92823fe6e7ca0b0271d0256672cc5 SHA-1: fba80c6a2747d888032decd61f9b039f26c30ba6 SHA-256: fdb3b76f0852945e48cafedeca6f02ff674244d1d37898c21841cc133f6b6fe1
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

This PDF document employs social engineering tactics, specifically a 'ClickFix' lure, to trick users into executing commands. The document body and heuristics indicate it directs users to copy and paste commands into execution contexts like Run or PowerShell, promising rewards for games such as Roblox. The primary malicious URL identified is http://netcdn.co/app/431946152/blox.page-free-robux-game-hack, which likely serves as a payload delivery site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 5

  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/blox.page-free-robux-game-hack
    • https://bkpsdm.denpasarkota.go.id/new/public/ckfinder/userfiles/files/roblox-free-hair-girl_GM431946152.pdf
    • https://bkpsdm.denpasarkota.go.id/new/public/ckfinder/userfiles/files/how-to-get-a-free-minecraft-server_GM479516143.pdf
    • https://bkpsdm.denpasarkota.go.id/new/public/ckfinder/userfiles/files/coin-master-email-rewards-link_GM406889139.pdf
    • https://bkpsdm.denpasarkota.go.id/new/public/ckfinder/userfiles/files/roblox-i-ts-free_GM431946152.pdf
    • https://bkpsdm.denpasarkota.go.id/new/public/ckfinder/userfiles/files/free-spins_GM406889139.pdf
    • https://bkpsdm.denpasarkota.go.id/new/public/ckfinder/userfiles/files/roblox-hack-chrome-web-store_GM431946152.pdf
    • https://bkpsdm.denpasarkota.go.id/new/public/ckfinder/userfiles/files/free-spins-coin-master-2021_GM406889139.pdf
    • https://bkpsdm.denpasarkota.go.id/new/public/ckfinder/userfiles/files/unlimited-robux-hack-for-computer_GM431946152.pdf
    • https://bkpsdm.denpasarkota.go.id/new/public/ckfinder/userfiles/files/daily-coin-master-free-spins_GM406889139.pdf
    • https://bkpsdm.denpasarkota.go.id/new/public/ckfinder/userfiles/files/roblox-hacking-website_GM431946152.pdf
    • https://bkpsdm.denpasarkota.go.id/new/public/ckfinder/userfiles/files/minecraft-mobile-free_GM479516143.pdf
    • https://bkpsdm.denpasarkota.go.id/new/public/ckfinder/userfiles/files/roblox-free-play-no-download-unblocked_GM431946152.pdf
    • https://bkpsdm.denpasarkota.go.id/new/public/ckfinder/userfiles/files/coin-master-free-spins-cheat_GM406889139.pdf
    • https://bkpsdm.denpasarkota.go.id/new/public/ckfinder/userfiles/files/roblox-com-r_GM431946152.pdf
    • https://bkpsdm.denpasarkota.go.id/new/public/ckfinder/userfiles/files/minecraft-games-free-to-play-online_GM479516143.pdf
    • https://bkpsdm.denpasarkota.go.id/new/public/ckfinder/userfiles/files/coin-master-free-spin-link-today-50_GM406889139.pdf
    • https://bkpsdm.denpasarkota.go.id/new/public/ckfinder/userfiles/files/coin-master-app_GM406889139.pdf
    • https://bkpsdm.denpasarkota.go.id/new/public/ckfinder/userfiles/files/minecraft-pe-free_GM479516143.pdf
    • https://bkpsdm.denpasarkota.go.id/new/public/ckfinder/userfiles/files/coin-master-attack-hack_GM406889139.pdf
    • https://bkpsdm.denpasarkota.go.id/new/public/ckfinder/userfiles/files/giving-away-free-toy-codes-for-roblox_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003109.bin
c04850d1b22f181d21659dfe9dc73fe8888df8051e4f722e71ba264622538574		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3109 22056 bytes
font_01_sfnt_off000061ef.bin
a0a6ea546d0e6844d99fd88293a563a8a3dee11cfd1e2744e6cb5564e5043d3b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x61EF 19032 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.