Malicious PDF — malware analysis report

Static analysis result for SHA-256 feaf15de79c0e058…

MALICIOUS

PDF

36.9 KB Created: 2021-06-28 22:42:03 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 4dd507d717660c9ee98563a0180c6c9a SHA-1: d29af14611376e563a37571388f7fb1592e39e2f SHA-256: feaf15de79c0e05893efb83ad4d61002d247fd7e1c5cdefc11e71bf85128a493
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File T1059.003 Windows Command Shell

The PDF document contains multiple embedded URLs and exhibits social engineering lures designed to trick the user into executing commands. Specifically, heuristics indicate the document instructs the user to copy or paste content into the Run dialog or a terminal, consistent with ClickFix attacks. The primary URL, http://netcdn.co/app/431946152/free-premote-group-on-roblox-game-hack, likely serves as a download source for a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 5

  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/free-premote-group-on-roblox-game-hack PDF link annotation
    • http://library.poltekkes-palangkaraya.ac.id//repository/roblox-hack-download-pc_GM431946152.pdfIn PDF document text
    • http://library.poltekkes-palangkaraya.ac.id/repository/how-to-hack-in-the-grand-crossing-roblox_GM431946152.pdfIn PDF document text
    • http://library.poltekkes-palangkaraya.ac.id/repository/get-robux_GM431946152.pdfIn PDF document text
    • http://library.poltekkes-palangkaraya.ac.id/repository/how-to-get-free-diamonds-on-royale-high-roblox-hack_GM431946152.pdfIn PDF document text
    • http://library.poltekkes-palangkaraya.ac.id/repository/free-roblox-accocunt_GM431946152.pdfIn PDF document text
    • http://library.poltekkes-palangkaraya.ac.id/repository/free-robux-2021-no-human-verification_GM431946152.pdfIn PDF document text
    • http://library.poltekkes-palangkaraya.ac.id/repository/roblox-pajamas-free-shipping_GM431946152.pdfIn PDF document text
    • http://library.poltekkes-palangkaraya.ac.id//repository/blogger-coin-master-free-spins_GM406889139.pdfIn PDF document text
    • http://library.poltekkes-palangkaraya.ac.id/repository/how-do-you-hack-pn-roblox_GM431946152.pdfIn PDF document text
    • http://library.poltekkes-palangkaraya.ac.id//repository/javascript-free-robux_GM431946152.pdfIn PDF document text
    • http://library.poltekkes-palangkaraya.ac.id/repository/copy-and-paste-to-terminal-robux-hack_GM431946152.pdfIn PDF document text
    • http://library.poltekkes-palangkaraya.ac.id/repository/free-hair-roblox-codes-2021_GM431946152.pdfIn PDF document text
    • http://library.poltekkes-palangkaraya.ac.id/repository/free-roblox-hair-girl_GM431946152.pdfIn PDF document text
    • http://library.poltekkes-palangkaraya.ac.id/repository/how-to-make-an-audio-for-free-in-roblox_GM431946152.pdfIn PDF document text
    • http://library.poltekkes-palangkaraya.ac.id//repository/free-robux-no-human-verification-or-survey-2021_GM431946152.pdfIn PDF document text
    • http://library.poltekkes-palangkaraya.ac.id/repository/free-roblox-dll-injector_GM431946152.pdfIn PDF document text
    • http://library.poltekkes-palangkaraya.ac.id/repository/nuevo-hack-de-robux-2021-funicona_GM431946152.pdfIn PDF document text
    • http://library.poltekkes-palangkaraya.ac.id/repository/free-roblox-gift-card-pins_GM431946152.pdfIn PDF document text
    • http://library.poltekkes-palangkaraya.ac.id/repository/free-roblox-sqript-injecter_GM431946152.pdfIn PDF document text
    • http://library.poltekkes-palangkaraya.ac.id//repository/free-account-roblox-with-robux_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000035fb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x35FB 23020 bytes
SHA-256: 64c2cc8fd4dc4eaf77492347751b0117500b4a7912e13e46d300173e2ce8580e
font_01_sfnt_off00006a03.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6A03 19484 bytes
SHA-256: b5ee229cdc7984be31282fafd4f7c8b5d79bd1e12ece37dd7483e3a297d36829

Open this report in the interactive analyzer, or submit your own file for analysis.