Malicious PDF — malware analysis report

Static analysis result for SHA-256 17c6f2730b2eaa22…

MALICIOUS

PDF

35.9 KB Created: 2021-05-30 02:13:16 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-08-25
MD5: c2ec68ea9ec909a7a41127ed54bda11c SHA-1: d2d1112dd98884e5ef0b411d07c50ef26f02629f SHA-256: 17c6f2730b2eaa2201ba2d8adef041eb38aa0247974ccb6b6465f57e42b03018
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains a malicious redirector link impersonating Netflix to lure users with a 'Free Robux' offer, indicating a likely credential phishing or malware distribution attempt. The ML classifier strongly flagged this PDF as malicious, and the embedded link points to known malicious infrastructure. Although no scripts were directly extracted, the PDF structure and embedded links suggest an attempt to exploit user interest in gaming rewards to compromise their accounts or systems.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9399

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Brand-impersonation credential phishing lure high SE_BRAND_CREDENTIAL_PHISH
    Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: call-to-action link host does not match the impersonated brand: https://netcdn.xyz/app/431946152/funblox.xyz-free-robux-game-hack.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/funblox.xyz-free-robux-game-hack In PDF document text
    • http://thinkpro.ca/wp-content/uploads/fsqm-files/haktuts-coin-master-free-spins_GM406889139.pdfIn PDF document text
    • http://thinkpro.ca/wp-content/uploads/fsqm-files/free-tiktok-followers-no-human-verification-or-survey_GM835599320.pdfIn PDF document text
    • http://thinkpro.ca/wp-content/uploads/fsqm-files/tiktok-free-views_GM835599320.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003270.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3270 24640 bytes
SHA-256: 1d26b0ffab5d3ccfdc64c2fc67f0f6a98f292c4cf4acddb276a9bdb58102e3f5
font_01_sfnt_off00006a8c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6A8C 18416 bytes
SHA-256: 094e3ad3acb05c69538296255af77c281e929786c4e47907665e7e86d1bfa11c

Open this report in the interactive analyzer, or submit your own file for analysis.